First published: Mon Jan 10 2022(Updated: )
Node.js could allow a remote attacker to bypass security restrictions, caused by the incorrect handling of multi-value Relative Distinguished Names. By crafting certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, an attacker could exploit this vulnerability to bypass the certificate subject verification.
Credit: support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/rh-nodejs12-nodejs | <0:12.22.12-2.el7 | 0:12.22.12-2.el7 |
redhat/rh-nodejs14-nodejs | <0:14.20.1-2.el7 | 0:14.20.1-2.el7 |
debian/nodejs | <=10.24.0~dfsg-1~deb10u1<=10.24.0~dfsg-1~deb10u3 | 12.22.12~dfsg-1~deb11u4 18.13.0+dfsg1-1 |
redhat/node | <12.22.9 | 12.22.9 |
redhat/node | <14.18.3 | 14.18.3 |
redhat/node | <16.13.2 | 16.13.2 |
redhat/node | <17.3.1 | 17.3.1 |
Nodejs Node.js | <12.22.9 | |
Nodejs Node.js | >=14.0.0<14.18.3 | |
Nodejs Node.js | >=16.0.0<16.13.2 | |
Nodejs Node.js | >=17.0.0<17.3.1 | |
Oracle GraalVM | =20.3.5 | |
Oracle GraalVM | =21.3.1 | |
Oracle GraalVM | =22.0.0.2 | |
Oracle MySQL Cluster | <8.0.29 | |
Oracle MySQL Cluster | =8.0.29 | |
Oracle Mysql Connectors | <=8.0.28 | |
Oracle Mysql Enterprise Monitor | <=8.0.29 | |
Oracle Mysql Server | <=5.7.37 | |
Oracle Mysql Server | >=8.0.0<=8.0.28 | |
Oracle Mysql Workbench | <=8.0.28 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
Debian Debian Linux | =11.0 | |
IBM Cognos Controller | <=11.0.0 - 11.0.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2021-44533 is a vulnerability found in Node.js versions prior to 12.22.9, 14.18.3, 16.13.2, and 17.3.1.
CVE-2021-44533 has a severity rating of 7.4, which is considered high.
CVE-2021-44533 affects Node.js versions prior to 12.22.9, 14.18.3, 16.13.2, and 17.3.1. It does not handle multi-value Relative Distinguished Names correctly, which could allow attackers to craft malicious certificates.
To fix CVE-2021-44533 in Node.js, you should update to version 12.22.9, 14.18.3, 16.13.2, or 17.3.1, which contain the necessary security patches.
You can find more information about CVE-2021-44533 in the official Node.js security releases blog post and the associated bugzilla entries.