CVE-2016-7099

Sažetak

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

Reference

http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html
http://rhn.redhat.com/errata/RHSA-2017-0002.html
http://www.securityfocus.com/bid/93191
https://github.com/nodejs/node/commit/743f0c916469f3129dfae406fa104dc46782e20b
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/

CVSS

Base:	4.3
Impact:	2.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

05-01-2018 - 02:31

Objavljeno

10-10-2016 - 16:59