github - ghsa-79cw-cghj-vx7w

ghsa-79cw-cghj-vx7w

Vulnerability from github

Published

2022-05-14 03:55

Modified

2022-05-14 03:55

Severity

5.9 (Medium) - CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-7099"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-10-10T16:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.",
  "id": "GHSA-79cw-cghj-vx7w",
  "modified": "2022-05-14T03:55:51Z",
  "published": "2022-05-14T03:55:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7099"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/node/commit/743f0c916469f3129dfae406fa104dc46782e20b"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/vulnerability/september-2016-security-releases"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0002.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/93191"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

cve-2016-7099

Vulnerability from cvelistv5

Published

2016-10-10 16:00

Modified

2024-08-06 01:50

Severity

Summary

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

References

URL	Tags
http://www.securityfocus.com/bid/93191	vdb-entry, x_refsource_BID
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/	x_refsource_CONFIRM
https://github.com/nodejs/node/commit/743f0c916469f3129dfae406fa104dc46782e20b	x_refsource_CONFIRM
http://rhn.redhat.com/errata/RHSA-2017-0002.html	vendor-advisory, x_refsource_REDHAT
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html	vendor-advisory, x_refsource_SUSE

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T01:50:47.426Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "93191",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/93191"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/nodejs/node/commit/743f0c916469f3129dfae406fa104dc46782e20b"
          },
          {
            "name": "RHSA-2017:0002",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2017-0002.html"
          },
          {
            "name": "SUSE-SU-2016:2470",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-09-27T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-04T19:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "93191",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/93191"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nodejs/node/commit/743f0c916469f3129dfae406fa104dc46782e20b"
        },
        {
          "name": "RHSA-2017:0002",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2017-0002.html"
        },
        {
          "name": "SUSE-SU-2016:2470",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-7099",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "93191",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/93191"
            },
            {
              "name": "https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/",
              "refsource": "CONFIRM",
              "url": "https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/"
            },
            {
              "name": "https://github.com/nodejs/node/commit/743f0c916469f3129dfae406fa104dc46782e20b",
              "refsource": "CONFIRM",
              "url": "https://github.com/nodejs/node/commit/743f0c916469f3129dfae406fa104dc46782e20b"
            },
            {
              "name": "RHSA-2017:0002",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2017-0002.html"
            },
            {
              "name": "SUSE-SU-2016:2470",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2016-7099",
    "datePublished": "2016-10-10T16:00:00",
    "dateReserved": "2016-08-27T00:00:00",
    "dateUpdated": "2024-08-06T01:50:47.426Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.