git: 482b3e711590 - main - security/vuxml: Document nodejs vulnerabilities
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 02 Apr 2022 15:42:16 UTC
The branch main has been updated by otis:
URL: https://cgit.FreeBSD.org/ports/commit/?id=482b3e711590e12d3f996bf9ab67b74516a439e9
commit 482b3e711590e12d3f996bf9ab67b74516a439e9
Author: Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2022-04-02 15:40:16 +0000
Commit: Juraj Lutter <otis@FreeBSD.org>
CommitDate: 2022-04-02 15:40:16 +0000
security/vuxml: Document nodejs vulnerabilities
PR: 261789
---
security/vuxml/vuln-2022.xml | 47 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 47 insertions(+)
diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index 22dcb8a62950..f06eee6e740a 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -1400,6 +1400,53 @@
</dates>
</vuln>
+ <vuln vid="972ba0e8-8b8a-11ec-b369-6c3be5272acd">
+ <topic>Node.js -- January 2022 Security Releases</topic>
+ <affects>
+ <package>
+ <name>node</name>
+ <range><ge>12.0.0</ge><lt>12.22.9</lt></range>
+ <range><ge>14.0.0</ge><lt>14.18.3</lt></range>
+ <range><ge>16.0.0</ge><lt>16.13.2</lt></range>
+ <range><ge>17.0.0</ge><lt>17.3.1</lt></range>
+ </package>
+ <package>
+ <name>node16</name>
+ <range><lt>16.13.2</lt></range>
+ </package>
+ <package>
+ <name>node14</name>
+ <range><lt>14.18.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Node.js reports:</p>
+ <blockquote cite="https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/">
+ <h1>Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)</h1>
+ <p>Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.</p>
+ <h1>Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)</h1>
+ <p>Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.</p>
+ <h1>Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)</h1>
+ <p>Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.</p>
+ <h1>Prototype pollution via <code>console.table</code> properties (Low)(CVE-2022-21824)</h1>
+ <p>Due to the formatting logic of the <code>console.table()</code> function it was not safe to allow user controlled input to be passed to the <code>properties</code> parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be <code>__proto__</code>. The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-44531</cvename>
+ <cvename>CVE-2021-44532</cvename>
+ <cvename>CVE-2021-44533</cvename>
+ <cvename>CVE-2022-21824</cvename>
+ <url>https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/</url>
+ </references>
+ <dates>
+ <discovery>2022-01-10</discovery>
+ <entry>2022-02-12</entry>
+ </dates>
+ </vuln>
+
<vuln vid="0b0ad196-1ee8-4a98-89b1-4d5d82af49a9">
<topic>jenkins -- DoS vulnerability in bundled XStream library</topic>
<affects>