CVE-2016-7099

CWE-1910 documents8 sources

Severity

5.9MEDIUM

EPSS

0.7%

top 27.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node.js Suse Linux Enterprise

Timeline

PublishedOct 10

Latest updateMay 14

Description

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶Debiannodejs< 4.6.0~dfsg-1+3

▶Ubuntunodejs< 0.10.25~dfsg2-2ubuntu1.2+esm1+2

▶NVDnodejs/node.js97 versions+96

Also affects: Linux Enterprise 12.0

Patches

Patch: github.com ↗Patch: nodejs.org ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-79cw-cghj-vx7w: The tls↗2022-05-14

▶

OSV

nodejs vulnerabilities↗2021-03-15

▶

CVEList

CVE-2016-7099: The tls↗2016-10-10

▶

OSV

CVE-2016-7099: The tls↗2016-10-10

▶

📋Vendor Advisories

Ubuntu

Node.js vulnerabilities↗2021-03-15

▶

Red Hat

nodejs: wildcard certificates not properly validated↗2016-09-28

▶

Debian

CVE-2016-7099: nodejs - The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x be...↗2016

▶

💬Community

Bugzilla

CVE-2016-7099 nodejs: wildcard certificates not properly validated↗2016-09-28

▶

Bugzilla

CVE-2016-7099 nodejs: wildcard certificates not properly validated [fedora-all]↗2016-09-28

▶