CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
77.5%
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs
(Subject Alternative Names) to a string format. It uses this string to
check peer certificates against hostnames when validating connections. The
string format was subject to an injection vulnerability when name
constraints were used within a certificate chain, allowing the bypass of
these name constraints.Versions of Node.js with the fix for this escape
SANs containing the problematic characters in order to prevent the
injection. This behavior can be reverted through the --security-revert
command-line option.
github.com/nodejs/node/commit/19873abfb24dce75ffff042efe76dc5633052677 (v12.x)
launchpad.net/bugs/cve/CVE-2021-44532
nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#certificate-verification-bypass-via-string-injection-medium-cve-2021-44532
nvd.nist.gov/vuln/detail/CVE-2021-44532
security-tracker.debian.org/tracker/CVE-2021-44532
www.cve.org/CVERecord?id=CVE-2021-44532
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
77.5%