CVE-2021-22939

Description

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

CVSS Metrics

• v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
• v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 0.12%• Percentile: 31%

Techniques & Countermeasures

• CWE-295•Improper Certificate Validation

  The product does not validate, or incorrectly validates, a certificate.

Affected Systems

• debian•debian_linux

  10.0

• netapp•nextgen_api

  na

• nodejs•node

  ≥ 4.0, < 4.* | ≥ 5.0, < 5.* | ≥ 6.0, < 6.* | ≥ 7.0, < 7.* | ≥ 8.0, < 8.* | ≥ 9.0, < 9.* | ≥ 10.0, < 10.* | ≥ 11.0, < 11.* | ≥ 12.0, < 12.22.5 | ≥ 13.0, < 13.* | ≥ 14.0, < 14.17.5 | ≥ 15.0, < 15.* | ≥ 16.0, < 16.6.2

• nodejs•node.js

  ≥ 12.0.0, < 12.22.5 | ≥ 14.0.0, < 14.17.5 | ≥ 16.0.0, < 16.6.2

• oracle•graalvm

  20.3.3 | 21.2.0

• oracle•jd_edwards_enterpriseone_tools

  ≤ 9.2.6.1

• oracle•mysql_cluster

  ≤ 8.0.26

• oracle•peoplesoft_enterprise_peopletools

  8.57 | 8.58 | 8.59

• siemens•sinec_infrastructure_network_services

  < 1.0.1.1

References (9)

• https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
• https://hackerone.com/reports/1278254
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://security.netapp.com/advisory/ntap-20210917-0003/
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html
• https://security.gentoo.org/glsa/202401-02