#VU32225 Data Handling in Node.js - CVE-2016-7099
Published: October 10, 2016 / Updated: July 28, 2020
Vulnerability identifier: #VU32225
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-7099
CWE-ID: CWE-19
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Node.js
Node.js
Software vendor:
Node.js Foundation
Node.js Foundation
Description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
Remediation
Install update from vendor's website.
External links
- http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html
- http://rhn.redhat.com/errata/RHSA-2017-0002.html
- http://www.securityfocus.com/bid/93191
- https://github.com/nodejs/node/commit/743f0c916469f3129dfae406fa104dc46782e20b
- https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/