Data Handling in Node.js

#VU32225 Data Handling in Node.js

Published: 2016-10-10 | Updated: 2020-07-28

Vulnerability identifier: #VU32225

Vulnerability risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7099

CWE-ID: CWE-19

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Node.js
Server applications / Web servers

Vendor: Node.js Foundation

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Node.js: 0.10.0 - 0.10.46

External links
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html
http://rhn.redhat.com/errata/RHSA-2017-0002.html
http://www.securityfocus.com/bid/93191
http://github.com/nodejs/node/commit/743f0c916469f3129dfae406fa104dc46782e20b
http://nodejs.org/en/blog/vulnerability/september-2016-security-releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Data Handling in nodejs-lts (Alpine package)

Data Handling in nodejs (Alpine package)

Data Handling in Node.js