Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Multiple Node.js vulnerabilities fixed in flurry of new releases

The developers behind Node.js have released new versions of several release lines to address four vulnerabilities in the server-side technology.

Node.js is a popular JavaScript runtime environment for building scalable network applications.

The security flaws, three of medium severity and one marked as low severity, have been fixed in new versions of the 12.x, 14.x, 16.x, and 17.x branches.

Medium-risk flaws

As detailed in a Node.js security advisory yesterday (January 10), the first vulnerability (CVE-2021-44531) was due to the improper handling of URI Subject Alternative Names.

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates, wrote the developers in a blog post.

Node.js was accepting URI SAN types, which PKIs are often not defined to use. In addition, when a protocol allows URI SANs, Node.js did not match the URI correctly.

This issue, which was reported to the team by Google, has been fixed in the newer versions of Node.js, which disable the URI SAN type when checking a certificate against a hostname.

This behavior can be reverted through the –security-revert command-line option, adds the blog.

Another issue (CVE-2021-44532) is a certificate verification bypass via string injection bug.

When Node.js converts SANs to a string format, it uses this string to check peer certificates against hostnames when validating connections.

The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.

The vulnerability, also reported by Google, is now fixed. Newer versions escape SANs containing the problematic characters in order to prevent the injection. This behavior can also be reverted through the –security-revert command-line option.

The third medium severity bug, also reported by Google, is the incorrect handling of certificate subject and issuer fields (CVE-2021-44533).

The blog post explains that Node.js did not handle multi-value Relative Distinguished Names correctly.

“Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification,” it reads.

Advertisement. Scroll to continue reading.

Affected versions of Node.js, however, do not accept multi-value Relative Distinguished Names and are therefore not vulnerable to such attacks. However, the developers warn, third-party code that uses Node.js’ ambiguous presentation of certificate subjects may be vulnerable.

Low severity

Finally, a fourth, low severity security flaw (CVE-2022-21824) could allow prototype pollution via console.table properties.

Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__, the developers explain.

However, the prototype pollution bug has very limited impact, as it only allows an empty string to be assigned to numerical keys of the object prototype.

The latest versions for Node.js use a null prototype for the object these properties are being assigned to in order to fix the issue.

All of the issues have been fixed in releases for Node.js versions 12.x, 14.x, 16.x, and 17.x. The fixes can be found in the security notes.

The Daily Swig has reached out to the developers of Node.js for comment and will update this article accordingly.

Source: https://portswigger.net/daily-swig/multiple-node-js-vulnerabilities-fixed-in-flurry-of-new-releases

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO