CalvinBackup/CVEs-PoC
1
0
Fork 0
mirror of https://github.com/0xMarcio/cve.git synced 2026-02-12 18:42:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
CVEs-PoC/2021/CVE-2021-44531.md
0xMarcio cb00e1339f Update CVE list 2025-09-29 21:09
2025-09-29 21:09:30 +02:00

32 lines
2.2 KiB
Markdown
Raw Permalink Blame History

### [CVE-2021-44531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531)
![](https://img.shields.io/static/v1?label=Product&message=Node&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=10.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=11.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=12.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=13.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=14.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=15.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=16.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=17.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=4.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=5.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=6.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=7.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=8.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=9.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Improper%20Certificate%20Validation%20(CWE-295)&color=brightgreen)
### Description
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.
### POC
#### Reference
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
#### Github
- https://github.com/ARPSyndicate/cvemon
Reference in New Issue View Git Blame Copy Permalink