CVE-2021-44533

{"id": "CVE-2021-44533", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2022-02-24T19:15:09.407", "references": [{"url": "https://hackerone.com/reports/1429694", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "source": "support@hackerone.com"}, {"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "tags": ["Release Notes", "Vendor Advisory"], "source": "support@hackerone.com"}, {"url": "https://security.netapp.com/advisory/ntap-20220325-0007/", "tags": ["Third Party Advisory"], "source": "support@hackerone.com"}, {"url": "https://www.debian.org/security/2022/dsa-5170", "tags": ["Third Party Advisory"], "source": "support@hackerone.com"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["Patch", "Third Party Advisory"], "source": "support@hackerone.com"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "tags": ["Third Party Advisory"], "source": "support@hackerone.com"}, {"url": "https://hackerone.com/reports/1429694", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "tags": ["Release Notes", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20220325-0007/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.debian.org/security/2022/dsa-5170", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "support@hackerone.com", "description": [{"lang": "en", "value": "CWE-295"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable."}, {"lang": "es", "value": "Node.js versiones anteriores a 12.22.9, versiones anteriores a 14.18.3, versiones anteriores a 16.13.2, y versiones anteriores a 17.3.1, no manejaba correctamente los Nombres Distinguidos Relativos de varios valores. Los atacantes podr\u00edan dise\u00f1ar sujetos de certificados que contengan un Nombre Distinguido Relativo de un solo valor que ser\u00eda interpretado como un Nombre Distinguido Relativo de varios valores, por ejemplo, para inyectar un Nombre Com\u00fan que permitir\u00eda omitir la verificaci\u00f3n del sujeto del certificado. Las versiones afectadas de Node.js que no aceptan Nombres Distinguidos Relativos de varios valores y, por lo tanto, no son vulnerables a tales ataques por s\u00ed mismas. Sin embargo, el c\u00f3digo de terceros que usa la presentaci\u00f3n ambigua de sujetos de certificados de Node puede ser vulnerable"}], "lastModified": "2024-11-21T06:31:10.940", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "DAE16BC9-7B14-48DA-ADEB-D1898E0B9885", "versionEndExcluding": "12.22.9"}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "8499B085-A803-4958-BB99-8E7FABB177BB", "versionEndExcluding": "14.18.3", "versionStartIncluding": "14.0.0"}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "113157AB-0571-4244-A857-ADE4F4EA1F11", "versionEndExcluding": "16.13.2", "versionStartIncluding": "16.0.0"}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "9DF5B801-BC99-4F91-B350-C14A5998532C", "versionEndExcluding": "17.3.1", "versionStartIncluding": "17.0.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:graalvm:20.3.5:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "079F2588-2746-408B-9BB0-9A569289985B"}, {"criteria": "cpe:2.3:a:oracle:graalvm:21.3.1:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "51600424-E294-41E0-9C8B-12D0C3456027"}, {"criteria": "cpe:2.3:a:oracle:graalvm:22.0.0.2:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "C3D12B98-032F-49A6-B237-E0CAD32D9A25"}, {"criteria": "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C122D22-D058-4395-8D18-A031B4157968", "versionEndExcluding": "8.0.29"}, {"criteria": "cpe:2.3:a:oracle:mysql_cluster:8.0.29:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3FF59ECA-F63D-4DD5-A4B4-CD31731C0CC2"}, {"criteria": "cpe:2.3:a:oracle:mysql_connectors:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "727AE4B8-ECED-4942-B378-AC869D39D8D0", "versionEndIncluding": "8.0.28"}, {"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B0EBAC6D-D0CE-42A1-AEA0-2D50C8035747", "versionEndIncluding": "8.0.29"}, {"criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "361CAD5F-8866-44CC-A47E-C0E98A9FAABA", "versionEndIncluding": "5.7.37"}, {"criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3D713546-8144-491B-B3D9-FBE437E4A442", "versionEndIncluding": "8.0.28", "versionStartIncluding": "8.0.0"}, {"criteria": "cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7BDC629D-CC4C-4903-8A06-BF5823457996", "versionEndIncluding": "8.0.28"}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9"}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}], "operator": "OR"}]}], "sourceIdentifier": "support@hackerone.com"}