{
  "threat_severity" : "Important",
  "public_date" : "2016-09-28T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs: wildcard certificates not properly validated",
    "id" : "1379921",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1379921"
  },
  "cvss" : {
    "cvss_base_score" : "5.8",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:P/A:N",
    "status" : "verified"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.4",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "details" : [ "The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.", "It was found that Node.js' tls.checkServerIdentity() function did not properly validate server certificates containing wildcards. A malicious TLS server could use this flaw to get a specially crafted certificate accepted by a Node.js TLS client." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "rh-nodejs4-http-parser-0:2.7.0-2.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "rh-nodejs4-nodejs-0:4.6.2-4.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "rh-nodejs4-http-parser-0:2.7.0-2.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "rh-nodejs4-nodejs-0:4.6.2-4.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-http-parser-0:2.7.0-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-nodejs-0:4.6.2-4.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-http-parser-0:2.7.0-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-nodejs-0:4.6.2-4.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-http-parser-0:2.7.0-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-nodejs-0:4.6.2-4.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-http-parser-0:2.7.0-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-nodejs-0:4.6.2-4.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Mobile Application Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "nodejs",
    "cpe" : "cpe:/a:redhat:mobile_application_platform:4"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2",
    "fix_state" : "Will not fix",
    "package_name" : "nodejs010-nodejs",
    "cpe" : "cpe:/a:redhat:openshift:2"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 3",
    "fix_state" : "Not affected",
    "package_name" : "nodejs",
    "cpe" : "cpe:/a:redhat:openshift:3"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "nodejs010-nodejs",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-7099\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-7099\nhttps://nodejs.org/en/blog/vulnerability/september-2016-security-releases/" ],
  "name" : "CVE-2016-7099",
  "csaw" : false
}