MEDIUM✓ PATCH🇵🇱 Wersja polska

CVE-2021-44532

CVSS 5.3v3.1pub. 2022-02-24upd. 2024-11-21

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • Debian

    OS
    Debian
    11.0
  • Node.js

    APP
    Nodejs
    14.0.0 – 14.18.3 (bez)16.0.0 – 16.13.2 (bez)17.0.0 – 17.3.1 (bez)< 12.22.9
  • Oracle Graalvm

    APP
    Oracle
    20.3.521.3.122.0.0.2
  • Oracle MySQL Cluster

    APP
    Oracle
    ≤ 8.0.29
  • Oracle MySQL Connectors

    APP
    Oracle
    ≤ 8.0.28
  • Oracle MySQL Enterprise Monitor

    APP
    Oracle
    ≤ 8.0.29
  • Oracle MySQL Server

    APP
    Oracle
    ≤ 5.7.378.0.0 – 8.0.28
  • Oracle MySQL Workbench

    APP
    Oracle
    8.0.0 – 8.0.28
  • Oracle Peoplesoft Enterprise Peopletools

    APP
    Oracle
    8.588.59
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-35273CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Pominięcie uwierzytelnienia w Oracle PeopleSoft PeopleTools (RCE/Takeover)

CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt

GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)

CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)