CVE-2020-24025 — Improper Certificate Validation in Node-node-sass

CWE-295 — Improper Certificate Validation7 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 46.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Node-node-sass Sass-lang Node-sass Msrc Cbl2 Reaper 3.1.1-9 ON CBL Mariner 2.0 +2 more

Timeline

PublishedJan 11

Latest updateFeb 9

Description

Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages6 packages

▶npmsass-lang/node-sass2.0.0 — 7.0.0

▶debiandebian/node-node-sass< node-node-sass 7.0.1+git20211229.3bb51da+dfsg-1 (bookworm)

▶NVDsass-lang/node-sass2.0.0 — 4.14.1

▶msrcmsrc/cbl_mariner_2.0_arm

▶msrcmsrc/cbl_mariner_2.0_x64

🔴Vulnerability Details

GHSA

Improper Certificate Validation in node-sass↗2022-02-09

▶

OSV

Improper Certificate Validation in node-sass↗2022-02-09

▶

OSV

CVE-2020-24025: Certificate validation in node-sass 2↗2021-01-11

▶

📋Vendor Advisories

Microsoft

Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.↗2021-01-12

▶

Red Hat

nodejs-node-sass: Certificate validation is disabled when requesting binaries↗2021-01-11

▶

Debian

CVE-2020-24025: node-node-sass - Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting ...↗2020

▶