Your submission was sent successfully! Close

CVE-2016-7099

Published: 10 October 2016

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

From the Ubuntu security team

Alexander Minozhenko and James Bunton discovered that Node.js did not properly handle wildcards in name fields of X.509 TLS certificates. An attacker could use this vulnerability to execute a man-in-the-middle-attack.

Priority

Medium

CVSS 3 base score: 5.9

Status

Package Release Status
nodejs
Launchpad, Ubuntu, Debian
Upstream
Released (4.6.0~dfsg-1)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(8.11.2~dfsg-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(8.11.2~dfsg-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(8.11.2~dfsg-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(8.10.0~dfsg-2)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Needed

Patches:
Upstream: https://github.com/nodejs/node/commit/0d7e21ee7bcc79046f898f8c202d2ec87d23d711 (0.10)
Upstream: https://github.com/nodejs/node/commit/3ff82deb2c3bd580d64be75dbafe460393c952fb (4.x)