Man-in-the-Middle Vulnerability in Node.js Products by Node.js
CVE-2016-7099

5.9MEDIUM

Key Information:

Vendor

Nodejs

Status
Node.js
Vendor
CVE Published:
10 October 2016

What is CVE-2016-7099?

The tls.checkServerIdentity function in Node.js versions prior to 0.10.47, 0.12.16, 4.6.0, and 6.7.0 inadequately validates wildcards in the name fields of X.509 certificates. This flaw enables man-in-the-middle attackers to impersonate legitimate servers using crafted certificates, potentially jeopardizing the integrity and confidentiality of communications.

References

http://www.securityfocus.com/bid/93191
vdb-entryx_refsource_BID
https://nodejs.org/en/blog/vulnerability/september-2016-s...
x_refsource_CONFIRM
https://github.com/nodejs/node/commit/743f0c916469f3129df...
x_refsource_CONFIRM

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.