Описание
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
It was found that Node.js' tls.checkServerIdentity() function did not properly validate server certificates containing wildcards. A malicious TLS server could use this flaw to get a specially crafted certificate accepted by a Node.js TLS client.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Mobile Application Platform 4 | nodejs | Not affected | ||
| Red Hat OpenShift Enterprise 2 | nodejs010-nodejs | Will not fix | ||
| Red Hat OpenShift Enterprise 3 | nodejs | Not affected | ||
| Red Hat Software Collections | nodejs010-nodejs | Will not fix | ||
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-nodejs4-http-parser | Fixed | RHSA-2017:0002 | 02.01.2017 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-nodejs4-nodejs | Fixed | RHSA-2017:0002 | 02.01.2017 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS | rh-nodejs4-http-parser | Fixed | RHSA-2017:0002 | 02.01.2017 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS | rh-nodejs4-nodejs | Fixed | RHSA-2017:0002 | 02.01.2017 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs4-http-parser | Fixed | RHSA-2017:0002 | 02.01.2017 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs4-nodejs | Fixed | RHSA-2017:0002 | 02.01.2017 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.4 High
CVSS3
5.8 Medium
CVSS2
Связанные уязвимости
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, ...
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
EPSS
7.4 High
CVSS3
5.8 Medium
CVSS2