{
  "threat_severity" : "Moderate",
  "public_date" : "2022-01-10T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs: Certificate Verification Bypass via String Injection",
    "id" : "2040846",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2040846"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-295",
  "details" : [ "Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.", "It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host." ],
  "statement" : "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-06-21T00:00:00Z",
    "advisory" : "RHEA-2022:5139",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:12-8060020220523160029.ad008a3a"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-11-08T00:00:00Z",
    "advisory" : "RHSA-2022:7830",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:14-8070020221020110846.bd1311ed"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-12-15T00:00:00Z",
    "advisory" : "RHSA-2022:9073",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:16-8070020221207164159.bd1311ed"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions",
    "release_date" : "2022-06-07T00:00:00Z",
    "advisory" : "RHEA-2022:4925",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.1",
    "package" : "nodejs:12-8010020220518102644.c27ad7f8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Extended Update Support",
    "release_date" : "2022-06-28T00:00:00Z",
    "advisory" : "RHEA-2022:5221",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.2",
    "package" : "nodejs:12-8020020220523154454.4cda2c84"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support",
    "release_date" : "2022-07-19T00:00:00Z",
    "advisory" : "RHEA-2022:5615",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.4",
    "package" : "nodejs:12-8040020220523155137.522a0ee4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support",
    "release_date" : "2023-04-12T00:00:00Z",
    "advisory" : "RHSA-2023:1742",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.6",
    "package" : "nodejs:14-8060020230306170237.ad008a3a"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2022-06-06T00:00:00Z",
    "advisory" : "RHSA-2022:4914",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs12-nodejs-0:12.22.12-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2022-10-19T00:00:00Z",
    "advisory" : "RHSA-2022:7044",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-nodejs14-nodejs-0:14.20.1-2.el7"
  }, {
    "product_name" : "RHODF-4.13-RHEL-9",
    "release_date" : "2023-06-21T00:00:00Z",
    "advisory" : "RHSA-2023:3742",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.13::el9",
    "package" : "odf4/mcg-core-rhel9:v4.13.0-41"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Will not fix",
    "package_name" : "nodejs",
    "cpe" : "cpe:/a:redhat:quay:3",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-44532\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-44532" ],
  "name" : "CVE-2021-44532",
  "csaw" : false
}