First published: Mon Jan 10 2022(Updated: )
Node.js could allow a remote attacker to bypass security restrictions, caused by a string injection vulnerability when name constraints were used within a certificate chain. An attacker could exploit this vulnerability to bypass the name constraints.
Credit: support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/rh-nodejs12-nodejs | <0:12.22.12-2.el7 | 0:12.22.12-2.el7 |
redhat/rh-nodejs14-nodejs | <0:14.20.1-2.el7 | 0:14.20.1-2.el7 |
debian/nodejs | <=10.24.0~dfsg-1~deb10u1<=10.24.0~dfsg-1~deb10u3 | 12.22.12~dfsg-1~deb11u4 18.13.0+dfsg1-1 |
redhat/node | <12.22.9 | 12.22.9 |
redhat/node | <14.18.3 | 14.18.3 |
redhat/node | <16.13.2 | 16.13.2 |
redhat/node | <17.3.1 | 17.3.1 |
Nodejs Node.js | <12.22.9 | |
Nodejs Node.js | >=14.0.0<14.18.3 | |
Nodejs Node.js | >=16.0.0<16.13.2 | |
Nodejs Node.js | >=17.0.0<17.3.1 | |
Oracle GraalVM | =20.3.5 | |
Oracle GraalVM | =21.3.1 | |
Oracle GraalVM | =22.0.0.2 | |
Oracle MySQL Cluster | <=8.0.29 | |
Oracle Mysql Connectors | <=8.0.28 | |
Oracle Mysql Enterprise Monitor | <=8.0.29 | |
Oracle Mysql Server | <=5.7.37 | |
Oracle Mysql Server | >=8.0.0<=8.0.28 | |
Oracle Mysql Workbench | >=8.0.0<=8.0.28 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
Debian Debian Linux | =11.0 | |
IBM Engineering Requirements Quality Assistant On-Premises | <=All |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2021-44532 is a vulnerability in Node.js that allows a remote attacker to bypass security restrictions caused by a string injection vulnerability.
Node.js versions < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 are affected by CVE-2021-44532.
CVE-2021-44532 occurs when Node.js converts SANs (Subject Alternative Names) to a string format, which was subject to an injection vulnerability when name constraints were used.
CVE-2021-44532 has a severity rating of 7.4 (high).
CVE-2021-44532 is associated with CWE-295 and CWE-296.