Vulnerability-Lookup

WID-SEC-W-2022-0099

Vulnerability from csaf_certbund - Published: 2022-01-10 23:00 - Updated: 2025-07-15 22:00

Summary

Node.js: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Node.js ist eine Plattform zur Entwicklung von Netzwerkanwendungen.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Node.js ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder Dateien zu manipulieren.

Betroffene Betriebssysteme: - Linux - MacOS X - Sonstiges - UNIX - Windows

CVE-2021-44531

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source Node.js <v12.22.9 (LTS) Open Source / Node.js		<v12.22.9 (LTS)
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
NetApp ActiveIQ Unified Manager NetApp	`cpe:/a:netapp:active_iq_unified_manager:-`	—
IBM Cognos Analytics <11.2.3 IBM / Cognos Analytics		<11.2.3
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Open Source Node.js <v14.18.3 (LTS) Open Source / Node.js		<v14.18.3 (LTS)
Open Source Node.js <v16.13.2 (LTS) Open Source / Node.js		<v16.13.2 (LTS)
IBM Cognos Analytics <11.1.7 FP5 IBM / Cognos Analytics		<11.1.7 FP5
Open Source Node.js <v17.3.1 Open Source / Node.js		<v17.3.1
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2021-44532

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source Node.js <v12.22.9 (LTS) Open Source / Node.js		<v12.22.9 (LTS)
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
NetApp ActiveIQ Unified Manager NetApp	`cpe:/a:netapp:active_iq_unified_manager:-`	—
IBM Cognos Analytics <11.2.3 IBM / Cognos Analytics		<11.2.3
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Open Source Node.js <v14.18.3 (LTS) Open Source / Node.js		<v14.18.3 (LTS)
Open Source Node.js <v16.13.2 (LTS) Open Source / Node.js		<v16.13.2 (LTS)
IBM Cognos Analytics <11.1.7 FP5 IBM / Cognos Analytics		<11.1.7 FP5
Open Source Node.js <v17.3.1 Open Source / Node.js		<v17.3.1
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2021-44533

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source Node.js <v12.22.9 (LTS) Open Source / Node.js		<v12.22.9 (LTS)
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
NetApp ActiveIQ Unified Manager NetApp	`cpe:/a:netapp:active_iq_unified_manager:-`	—
IBM Cognos Analytics <11.2.3 IBM / Cognos Analytics		<11.2.3
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Open Source Node.js <v14.18.3 (LTS) Open Source / Node.js		<v14.18.3 (LTS)
Open Source Node.js <v16.13.2 (LTS) Open Source / Node.js		<v16.13.2 (LTS)
IBM Cognos Analytics <11.1.7 FP5 IBM / Cognos Analytics		<11.1.7 FP5
Open Source Node.js <v17.3.1 Open Source / Node.js		<v17.3.1
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2022-21824

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source Node.js <v12.22.9 (LTS) Open Source / Node.js		<v12.22.9 (LTS)
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
NetApp ActiveIQ Unified Manager NetApp	`cpe:/a:netapp:active_iq_unified_manager:-`	—
IBM Cognos Analytics <11.2.3 IBM / Cognos Analytics		<11.2.3
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Open Source Node.js <v14.18.3 (LTS) Open Source / Node.js		<v14.18.3 (LTS)
Open Source Node.js <v16.13.2 (LTS) Open Source / Node.js		<v16.13.2 (LTS)
IBM Cognos Analytics <11.1.7 FP5 IBM / Cognos Analytics		<11.1.7 FP5
Open Source Node.js <v17.3.1 Open Source / Node.js		<v17.3.1
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

References

22 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://nodejs.org/en/blog/vulnerability/jan-2022…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://alas.aws.amazon.com/AL2022/ALAS-2022-019.html	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://access.redhat.com/errata/RHSA-2022:4914	external
https://lists.debian.org/debian-security-announce…	external
https://security.netapp.com/advisory/ntap-2022072…	external
https://lists.debian.org/debian-lts-announce/2022…	external
https://access.redhat.com/errata/RHSA-2022:7044	external
https://access.redhat.com/errata/RHSA-2022:7830	external
https://alas.aws.amazon.com/AL2022/ALAS-2022-214.html	external
https://access.redhat.com/errata/RHSA-2022:9073	external
http://linux.oracle.com/errata/ELSA-2022-9073-1.html	external
https://access.redhat.com/errata/RHSA-2023:1742	external
https://security.gentoo.org/glsa/202405-29	external
https://www.ibm.com/support/pages/node/6615285	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Node.js ist eine Plattform zur Entwicklung von Netzwerkanwendungen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Node.js ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder Dateien zu manipulieren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- MacOS X\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-0099 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-0099.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-0099 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0099"
      },
      {
        "category": "external",
        "summary": "NodeJs Security Release vom 2022-01-10",
        "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:0113-1 vom 2022-01-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-January/010021.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:0114-1 vom 2022-01-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-January/010019.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:0112-1 vom 2022-01-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-January/010023.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:0101-1 vom 2022-01-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-January/010017.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2022-019 vom 2022-02-03",
        "url": "https://alas.aws.amazon.com/AL2022/ALAS-2022-019.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:0570-1 vom 2022-02-24",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010306.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:1717-1 vom 2022-05-17",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-May/011058.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:4914 vom 2022-06-06",
        "url": "https://access.redhat.com/errata/RHSA-2022:4914"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5170 vom 2022-06-27",
        "url": "https://lists.debian.org/debian-security-announce/2022/msg00138.html"
      },
      {
        "category": "external",
        "summary": "NetApp Security Advisory NTAP-20220729-0004 vom 2022-08-19",
        "url": "https://security.netapp.com/advisory/ntap-20220729-0004/"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-3137 vom 2022-10-05",
        "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:7044 vom 2022-10-19",
        "url": "https://access.redhat.com/errata/RHSA-2022:7044"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:7830 vom 2022-11-08",
        "url": "https://access.redhat.com/errata/RHSA-2022:7830"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2022-214 vom 2022-12-09",
        "url": "https://alas.aws.amazon.com/AL2022/ALAS-2022-214.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:9073 vom 2022-12-15",
        "url": "https://access.redhat.com/errata/RHSA-2022:9073"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2022-9073 vom 2022-12-17",
        "url": "http://linux.oracle.com/errata/ELSA-2022-9073-1.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:1742 vom 2023-04-12",
        "url": "https://access.redhat.com/errata/RHSA-2023:1742"
      },
      {
        "category": "external",
        "summary": "Gentoo Linux Security Advisory GLSA-202405-29 vom 2024-05-08",
        "url": "https://security.gentoo.org/glsa/202405-29"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 6615285 vom 2025-07-15",
        "url": "https://www.ibm.com/support/pages/node/6615285"
      }
    ],
    "source_lang": "en-US",
    "title": "Node.js: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-07-15T22:00:00.000+00:00",
      "generator": {
        "date": "2025-07-16T07:51:55.275+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2022-0099",
      "initial_release_date": "2022-01-10T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2022-01-10T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2022-01-12T23:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: FEDORA-2022-0EDA327CB4, FEDORA-2022-78090D2099"
        },
        {
          "date": "2022-01-18T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-02-03T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2022-02-24T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-05-17T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-06-06T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-06-27T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2022-08-21T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von NetApp aufgenommen"
        },
        {
          "date": "2022-10-05T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2022-10-19T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-11-08T23:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-12-11T23:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2022-12-15T23:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-12-18T23:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2023-04-12T22:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-05-09T22:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Updates von Gentoo aufgenommen"
        },
        {
          "date": "2025-07-15T22:00:00.000+00:00",
          "number": "18",
          "summary": "Neue Updates von IBM aufgenommen"
        }
      ],
      "status": "final",
      "version": "18"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Gentoo Linux",
            "product": {
              "name": "Gentoo Linux",
              "product_id": "T012167",
              "product_identification_helper": {
                "cpe": "cpe:/o:gentoo:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Gentoo"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c11.2.3",
                "product": {
                  "name": "IBM Cognos Analytics \u003c11.2.3",
                  "product_id": "1225441"
                }
              },
              {
                "category": "product_version",
                "name": "11.2.3",
                "product": {
                  "name": "IBM Cognos Analytics 11.2.3",
                  "product_id": "1225441-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:cognos_analytics:11.2.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c11.1.7 FP5",
                "product": {
                  "name": "IBM Cognos Analytics \u003c11.1.7 FP5",
                  "product_id": "T045427"
                }
              },
              {
                "category": "product_version",
                "name": "11.1.7 FP5",
                "product": {
                  "name": "IBM Cognos Analytics 11.1.7 FP5",
                  "product_id": "T045427-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:cognos_analytics:11.1.7_fp5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Cognos Analytics"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "NetApp ActiveIQ Unified Manager",
            "product": {
              "name": "NetApp ActiveIQ Unified Manager",
              "product_id": "T016960",
              "product_identification_helper": {
                "cpe": "cpe:/a:netapp:active_iq_unified_manager:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "NetApp"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cv17.3.1",
                "product": {
                  "name": "Open Source Node.js \u003cv17.3.1",
                  "product_id": "T021503"
                }
              },
              {
                "category": "product_version",
                "name": "v17.3.1",
                "product": {
                  "name": "Open Source Node.js v17.3.1",
                  "product_id": "T021503-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nodejs:nodejs:v17.3.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cv16.13.2 (LTS)",
                "product": {
                  "name": "Open Source Node.js \u003cv16.13.2 (LTS)",
                  "product_id": "T021504"
                }
              },
              {
                "category": "product_version",
                "name": "v16.13.2 (LTS)",
                "product": {
                  "name": "Open Source Node.js v16.13.2 (LTS)",
                  "product_id": "T021504-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nodejs:nodejs:v"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cv14.18.3 (LTS)",
                "product": {
                  "name": "Open Source Node.js \u003cv14.18.3 (LTS)",
                  "product_id": "T021505"
                }
              },
              {
                "category": "product_version",
                "name": "v14.18.3 (LTS)",
                "product": {
                  "name": "Open Source Node.js v14.18.3 (LTS)",
                  "product_id": "T021505-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nodejs:nodejs:v"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cv12.22.9 (LTS)",
                "product": {
                  "name": "Open Source Node.js \u003cv12.22.9 (LTS)",
                  "product_id": "T021506"
                }
              },
              {
                "category": "product_version",
                "name": "v12.22.9 (LTS)",
                "product": {
                  "name": "Open Source Node.js v12.22.9 (LTS)",
                  "product_id": "T021506-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nodejs:nodejs:v"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Node.js"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-44531",
      "product_status": {
        "known_affected": [
          "67646",
          "T012167",
          "T021506",
          "T004914",
          "T016960",
          "1225441",
          "2951",
          "T002207",
          "T021505",
          "T021504",
          "T045427",
          "T021503",
          "398363"
        ]
      },
      "release_date": "2022-01-10T23:00:00.000+00:00",
      "title": "CVE-2021-44531"
    },
    {
      "cve": "CVE-2021-44532",
      "product_status": {
        "known_affected": [
          "67646",
          "T012167",
          "T021506",
          "T004914",
          "T016960",
          "1225441",
          "2951",
          "T002207",
          "T021505",
          "T021504",
          "T045427",
          "T021503",
          "398363"
        ]
      },
      "release_date": "2022-01-10T23:00:00.000+00:00",
      "title": "CVE-2021-44532"
    },
    {
      "cve": "CVE-2021-44533",
      "product_status": {
        "known_affected": [
          "67646",
          "T012167",
          "T021506",
          "T004914",
          "T016960",
          "1225441",
          "2951",
          "T002207",
          "T021505",
          "T021504",
          "T045427",
          "T021503",
          "398363"
        ]
      },
      "release_date": "2022-01-10T23:00:00.000+00:00",
      "title": "CVE-2021-44533"
    },
    {
      "cve": "CVE-2022-21824",
      "product_status": {
        "known_affected": [
          "67646",
          "T012167",
          "T021506",
          "T004914",
          "T016960",
          "1225441",
          "2951",
          "T002207",
          "T021505",
          "T021504",
          "T045427",
          "T021503",
          "398363"
        ]
      },
      "release_date": "2022-01-10T23:00:00.000+00:00",
      "title": "CVE-2022-21824"
    }
  ]
}

CVE-2021-44531 (GCVE-0-2021-44531)

Vulnerability from cvelistv5 – Published: 2022-02-24 18:27 – Updated: 2025-04-30 22:24

Summary

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.

Severity

No CVSS data available.

CWE

CWE-295 - Improper Certificate Validation (CWE-295)

Assigner

hackerone

References

6 references

URL	Tags
https://hackerone.com/reports/1429694	x_refsource_MISC
https://nodejs.org/en/blog/vulnerability/jan-2022…	x_refsource_MISC
https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
https://security.netapp.com/advisory/ntap-2022032…	x_refsource_CONFIRM
https://www.debian.org/security/2022/dsa-5170	vendor-advisoryx_refsource_DEBIAN
https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
NodeJS	Node	Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.22.9 (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.18.3 (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.13.2 (semver) Affected: 17.0 , < 17.3.1 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:25:16.807Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/1429694"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220325-0007/"
          },
          {
            "name": "DSA-5170",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5170"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Node",
          "vendor": "NodeJS",
          "versions": [
            {
              "lessThan": "4.*",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.*",
              "status": "affected",
              "version": "5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.*",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.*",
              "status": "affected",
              "version": "7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.*",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.*",
              "status": "affected",
              "version": "9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.*",
              "status": "affected",
              "version": "10.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.*",
              "status": "affected",
              "version": "11.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.22.9",
              "status": "affected",
              "version": "12.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.*",
              "status": "affected",
              "version": "13.0",
              "versionType": "semver"
            },
            {
              "lessThan": "14.18.3",
              "status": "affected",
              "version": "14.0",
              "versionType": "semver"
            },
            {
              "lessThan": "15.*",
              "status": "affected",
              "version": "15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.13.2",
              "status": "affected",
              "version": "16.0",
              "versionType": "semver"
            },
            {
              "lessThan": "17.3.1",
              "status": "affected",
              "version": "17.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js \u003c 12.22.9, \u003c 14.18.3, \u003c 16.13.2, and \u003c 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "Improper Certificate Validation (CWE-295)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T22:24:39.015Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/1429694"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220325-0007/"
        },
        {
          "name": "DSA-5170",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5170"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2021-44531",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "https://github.com/nodejs/node",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Fixed in 12.22.9, 14.18.3, 16.13.2, 17.3.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js \u003c 12.22.9, \u003c 14.18.3, \u003c 16.13.2, and \u003c 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Certificate Validation (CWE-295)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/1429694",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/1429694"
            },
            {
              "name": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
              "refsource": "MISC",
              "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220325-0007/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220325-0007/"
            },
            {
              "name": "DSA-5170",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2022/dsa-5170"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2021-44531",
    "datePublished": "2022-02-24T18:27:00.000Z",
    "dateReserved": "2021-12-02T00:00:00.000Z",
    "dateUpdated": "2025-04-30T22:24:39.015Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-44532 (GCVE-0-2021-44532)

Vulnerability from cvelistv5 – Published: 2022-02-24 18:27 – Updated: 2025-04-30 22:24

Summary

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

Severity

No CVSS data available.

CWE

CWE-296 - Improper Following of a Certificate's Chain of Trust (CWE-296)

Assigner

hackerone

References

6 references

URL	Tags
https://hackerone.com/reports/1429694	x_refsource_MISC
https://nodejs.org/en/blog/vulnerability/jan-2022…	x_refsource_MISC
https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
https://security.netapp.com/advisory/ntap-2022032…	x_refsource_CONFIRM
https://www.debian.org/security/2022/dsa-5170	vendor-advisoryx_refsource_DEBIAN
https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
NodeJS	Node	Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.22.9 (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.18.3 (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.13.2 (semver) Affected: 17.0 , < 17.3.1 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:25:16.804Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/1429694"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220325-0007/"
          },
          {
            "name": "DSA-5170",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5170"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Node",
          "vendor": "NodeJS",
          "versions": [
            {
              "lessThan": "4.*",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.*",
              "status": "affected",
              "version": "5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.*",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.*",
              "status": "affected",
              "version": "7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.*",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.*",
              "status": "affected",
              "version": "9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.*",
              "status": "affected",
              "version": "10.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.*",
              "status": "affected",
              "version": "11.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.22.9",
              "status": "affected",
              "version": "12.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.*",
              "status": "affected",
              "version": "13.0",
              "versionType": "semver"
            },
            {
              "lessThan": "14.18.3",
              "status": "affected",
              "version": "14.0",
              "versionType": "semver"
            },
            {
              "lessThan": "15.*",
              "status": "affected",
              "version": "15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.13.2",
              "status": "affected",
              "version": "16.0",
              "versionType": "semver"
            },
            {
              "lessThan": "17.3.1",
              "status": "affected",
              "version": "17.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Node.js \u003c 12.22.9, \u003c 14.18.3, \u003c 16.13.2, and \u003c 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-296",
              "description": "Improper Following of a Certificate\u0027s Chain of Trust (CWE-296)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T22:24:39.850Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/1429694"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220325-0007/"
        },
        {
          "name": "DSA-5170",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5170"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2021-44532",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "https://github.com/nodejs/node",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Fixed in 12.22.9, 14.18.3, 16.13.2, 17.3.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Node.js \u003c 12.22.9, \u003c 14.18.3, \u003c 16.13.2, and \u003c 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Following of a Certificate\u0027s Chain of Trust (CWE-296)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/1429694",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/1429694"
            },
            {
              "name": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
              "refsource": "MISC",
              "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220325-0007/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220325-0007/"
            },
            {
              "name": "DSA-5170",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2022/dsa-5170"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2021-44532",
    "datePublished": "2022-02-24T18:27:01.000Z",
    "dateReserved": "2021-12-02T00:00:00.000Z",
    "dateUpdated": "2025-04-30T22:24:39.850Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-44533 (GCVE-0-2021-44533)

Vulnerability from cvelistv5 – Published: 2022-02-24 18:27 – Updated: 2025-04-30 22:24

Summary

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.

Severity

No CVSS data available.

CWE

CWE-295 - Improper Certificate Validation (CWE-295)

Assigner

hackerone

References

6 references

URL	Tags
https://hackerone.com/reports/1429694	x_refsource_MISC
https://nodejs.org/en/blog/vulnerability/jan-2022…	x_refsource_MISC
https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
https://security.netapp.com/advisory/ntap-2022032…	x_refsource_CONFIRM
https://www.debian.org/security/2022/dsa-5170	vendor-advisoryx_refsource_DEBIAN
https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
NodeJS	Node	Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.22.9 (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.18.3 (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.13.2 (semver) Affected: 17.0 , < 17.3.1 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:25:16.822Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/1429694"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220325-0007/"
          },
          {
            "name": "DSA-5170",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5170"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Node",
          "vendor": "NodeJS",
          "versions": [
            {
              "lessThan": "4.*",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.*",
              "status": "affected",
              "version": "5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.*",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.*",
              "status": "affected",
              "version": "7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.*",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.*",
              "status": "affected",
              "version": "9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.*",
              "status": "affected",
              "version": "10.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.*",
              "status": "affected",
              "version": "11.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.22.9",
              "status": "affected",
              "version": "12.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.*",
              "status": "affected",
              "version": "13.0",
              "versionType": "semver"
            },
            {
              "lessThan": "14.18.3",
              "status": "affected",
              "version": "14.0",
              "versionType": "semver"
            },
            {
              "lessThan": "15.*",
              "status": "affected",
              "version": "15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.13.2",
              "status": "affected",
              "version": "16.0",
              "versionType": "semver"
            },
            {
              "lessThan": "17.3.1",
              "status": "affected",
              "version": "17.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Node.js \u003c 12.22.9, \u003c 14.18.3, \u003c 16.13.2, and \u003c 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node\u0027s ambiguous presentation of certificate subjects may be vulnerable."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "Improper Certificate Validation (CWE-295)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T22:24:40.708Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/1429694"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220325-0007/"
        },
        {
          "name": "DSA-5170",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5170"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2021-44533",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "https://github.com/nodejs/node",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Fixed in 12.22.9, 14.18.3, 16.13.2, 17.3.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Node.js \u003c 12.22.9, \u003c 14.18.3, \u003c 16.13.2, and \u003c 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node\u0027s ambiguous presentation of certificate subjects may be vulnerable."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Certificate Validation (CWE-295)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/1429694",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/1429694"
            },
            {
              "name": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/",
              "refsource": "MISC",
              "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220325-0007/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220325-0007/"
            },
            {
              "name": "DSA-5170",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2022/dsa-5170"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2021-44533",
    "datePublished": "2022-02-24T18:27:02.000Z",
    "dateReserved": "2021-12-02T00:00:00.000Z",
    "dateUpdated": "2025-04-30T22:24:40.708Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-21824 (GCVE-0-2022-21824)

Vulnerability from cvelistv5 – Published: 2022-02-24 00:00 – Updated: 2025-04-30 22:24

Summary

Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.

Severity

No CVSS data available.

CWE

CWE-471 - Modification of Assumed-Immutable Data (MAID) (CWE-471)

Assigner

hackerone

References

8 references

URL	Tags
https://nodejs.org/en/blog/vulnerability/jan-2022…
https://hackerone.com/reports/1431042
https://www.oracle.com/security-alerts/cpuapr2022.html
https://security.netapp.com/advisory/ntap-2022032…
https://www.debian.org/security/2022/dsa-5170	vendor-advisory
https://www.oracle.com/security-alerts/cpujul2022.html
https://security.netapp.com/advisory/ntap-2022072…
https://lists.debian.org/debian-lts-announce/2022…	mailing-list

Impacted products

1 product

Vendor	Product	Version
NodeJS	Node	Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.22.9 (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.18.3 (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.13.2 (semver) Affected: 17.0 , < 17.3.1 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T02:53:36.314Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/1431042"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220325-0007/"
          },
          {
            "name": "DSA-5170",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5170"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220729-0004/"
          },
          {
            "name": "[debian-lts-announce] 20221005 [SECURITY] [DLA 3137-1] nodejs security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Node",
          "vendor": "NodeJS",
          "versions": [
            {
              "lessThan": "4.*",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.*",
              "status": "affected",
              "version": "5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.*",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.*",
              "status": "affected",
              "version": "7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.*",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.*",
              "status": "affected",
              "version": "9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.*",
              "status": "affected",
              "version": "10.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.*",
              "status": "affected",
              "version": "11.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.22.9",
              "status": "affected",
              "version": "12.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.*",
              "status": "affected",
              "version": "13.0",
              "versionType": "semver"
            },
            {
              "lessThan": "14.18.3",
              "status": "affected",
              "version": "14.0",
              "versionType": "semver"
            },
            {
              "lessThan": "15.*",
              "status": "affected",
              "version": "15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.13.2",
              "status": "affected",
              "version": "16.0",
              "versionType": "semver"
            },
            {
              "lessThan": "17.3.1",
              "status": "affected",
              "version": "17.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Due to the formatting logic of the \"console.table()\" function it was not safe to allow user controlled input to be passed to the \"properties\" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be \"__proto__\". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js \u003e= 12.22.9, \u003e= 14.18.3, \u003e= 16.13.2, and \u003e= 17.3.1 use a null protoype for the object these properties are being assigned to."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-471",
              "description": "Modification of Assumed-Immutable Data (MAID) (CWE-471)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T22:24:41.602Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"
        },
        {
          "url": "https://hackerone.com/reports/1431042"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220325-0007/"
        },
        {
          "name": "DSA-5170",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5170"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220729-0004/"
        },
        {
          "name": "[debian-lts-announce] 20221005 [SECURITY] [DLA 3137-1] nodejs security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2022-21824",
    "datePublished": "2022-02-24T00:00:00.000Z",
    "dateReserved": "2021-12-10T00:00:00.000Z",
    "dateUpdated": "2025-04-30T22:24:41.602Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2022-0099

CVE-2021-44531 (GCVE-0-2021-44531)

CVE-2021-44532 (GCVE-0-2021-44532)

CVE-2021-44533 (GCVE-0-2021-44533)

CVE-2022-21824 (GCVE-0-2022-21824)

Tags

Sightings

Nomenclature