CVE-2021-44533

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.

References

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/node
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4e44cbfba6bbb87aa15564ea6856a556804f71c0

Introduced

7162e686b18d22b4385fa5c04274fb04dbd810c7

Fixed

acb71eab779fb56bf70e8a9e0cb2e82a089a87de

Introduced

73aa21658dfa6a22c06451d080152b32b1f98dbe

Fixed

92df3d654b366aa115fb672756cb051d480d8acc

Introduced

f99ce7c1b88ff445f60e9e5575b674cb509e47f3

Fixed

e4f326669a3f98a8804dde23eee6d8403f0a99f1

Affected versions

v14.*

v14.0.0

v14.1.0

v14.10.0

v14.10.1

v14.11.0

v14.12.0

v14.13.0

v14.13.1

v14.14.0

v14.15.0

v14.15.1

v14.15.2

v14.15.3

v14.15.4

v14.15.5

v14.16.0

v14.16.1

v14.17.0

v14.17.1

v14.17.2

v14.17.3

v14.17.4

v14.17.5

v14.17.6

v14.18.0

v14.18.1

v14.18.2

v14.2.0

v14.3.0

v14.4.0

v14.5.0

v14.6.0

v14.7.0

v14.8.0

v14.9.0

v16.*

v16.0.0

v16.1.0

v16.10.0

v16.11.0

v16.11.1

v16.12.0

v16.13.0

v16.13.1

v16.2.0

v16.3.0

v16.4.0

v16.4.1

v16.4.2

v16.5.0

v16.6.0

v16.6.1

v16.6.2

v16.7.0

v16.8.0

v16.9.0

v16.9.1

v17.*

v17.0.0

v17.0.1

v17.1.0

v17.2.0

v17.3.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-44533.json"