CVE-2021-22939

CWE-295 — Improper Certificate Validation CWE-20 — Improper Input Validation7 documents7 sources

Severity

5.3MEDIUM

EPSS

0.1%

top 68.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node Nodejs Node.js Siemens Sinec Infrastructure Network Services +5 more

Timeline

PublishedAug 16

Latest updateMay 24

Description

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages8 packages

▶CVEListV5nodejs/node4.0 — 4.*+12

▶NVDnodejs/node.js12.0.0 — 12.22.5+2

▶Debiannodejs< 12.22.5~dfsg-2~11u1+3

▶NVDsiemens/sinec_infrastructure_network_services< 1.0.1.1

▶NVDoracle/mysql_cluster8.0.26

Also affects: Debian Linux 10.0

Patches

Patch: cert-portal.siemens.com ↗Patch: nodejs.org ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-9mvv-4q4j-q2j8: If the Node↗2022-05-24

▶

OSV

CVE-2021-22939: If the Node↗2021-08-16

▶

CVEList

CVE-2021-22939: If the Node↗2021-08-16

▶

📋Vendor Advisories

Red Hat

nodejs: Incomplete validation of tls rejectUnauthorized parameter↗2021-08-11

▶

Microsoft

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter no error was returned and connections to servers with an expired certificate would ha↗2021-08-10

▶

Debian

CVE-2021-22939: nodejs - If the Node.js https API was used incorrectly and "undefined" was in passed for ...↗2021

▶