CVE-2021-44533

Advisory lineage Upstream: 0 Downstream: 22

Downstream

ALPINE-CVE-2021-44533 DEBIAN-CVE-2021-44533 DSA-5170-1 MGASA-2022-0077 OPENSUSE-SU-2022:0112-1 OPENSUSE-SU-2022:0113-1

Modified

Published: 24 Feb 2022, 18:27

Last modified:30 Apr 2025, 22:24

Vulnerability Summary

Overall Risk (default)

medium

31/100

CVSS Score

5.3 MEDIUM

v3.1 (nvd)

EPSS Score

0.36% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

24 Feb 2022, 18:27

Published

Vulnerability first disclosed

30 Apr 2025, 22:24

Last Modified

Vulnerability information updated

Description

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.

CVSS Metrics

v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 0.36%• Percentile: 59%

Techniques & Countermeasures

CWE-295•Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.

Affected Systems

debian•debian_linux
11.0
nodejs•node
≥ 4.0, < 4.* | ≥ 5.0, < 5.* | ≥ 6.0, < 6.* | ≥ 7.0, < 7.* | ≥ 8.0, < 8.* | ≥ 9.0, < 9.* | ≥ 10.0, < 10.* | ≥ 11.0, < 11.* | ≥ 12.0, < 12.22.9 | ≥ 13.0, < 13.* | ≥ 14.0, < 14.18.3 | ≥ 15.0, < 15.* | ≥ 16.0, < 16.13.2 | ≥ 17.0, < 17.3.1
nodejs•node.js
< 12.22.9 | ≥ 14.0.0, < 14.18.3 | ≥ 16.0.0, < 16.13.2 | ≥ 17.0.0, < 17.3.1
oracle•graalvm
20.3.5 | 21.3.1 | 22.0.0.2
oracle•mysql_cluster
< 8.0.29 | 8.0.29
oracle•mysql_connectors
≤ 8.0.28
oracle•mysql_enterprise_monitor
≤ 8.0.29
oracle•mysql_server
≤ 5.7.37 | ≥ 8.0.0, ≤ 8.0.28
oracle•mysql_workbench
≤ 8.0.28
oracle•peoplesoft_enterprise_peopletools
8.58 | 8.59