CVE-2021-22939

EUVD-2021-10068
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
Affected Products (NVD)
VendorProductVersion
nodejsnode.js
12.0.0 ≤
𝑥
< 12.22.5
nodejsnode.js
14.0.0 ≤
𝑥
< 14.17.5
nodejsnode.js
16.0.0 ≤
𝑥
< 16.6.2
oraclegraalvm
20.3.3
oraclegraalvm
21.2.0
oraclejd_edwards_enterpriseone_tools
𝑥
≤ 9.2.6.1
oraclemysql_cluster
𝑥
≤ 8.0.26
oraclepeoplesoft_enterprise_peopletools
8.57
oraclepeoplesoft_enterprise_peopletools
8.58
oraclepeoplesoft_enterprise_peopletools
8.59
netappnextgen_api
-
siemenssinec_infrastructure_network_services
𝑥
< 1.0.1.1
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nodejs
bookworm
18.19.0+dfsg-6~deb12u2
fixed
bookworm (security)
18.19.0+dfsg-6~deb12u1
fixed
bullseye
12.22.12~dfsg-1~deb11u4
fixed
bullseye (security)
12.22.12~dfsg-1~deb11u5
fixed
sid
20.17.0+dfsg-2
fixed
trixie
20.17.0+dfsg-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nodejs
bionic
needs-triage
focal
needs-triage
hirsute
ignored
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://hackerone.com/reports/1278254
https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
https://security.gentoo.org/glsa/202401-02
https://security.netapp.com/advisory/ntap-20210917-0003/
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://hackerone.com/reports/1278254
https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
https://security.gentoo.org/glsa/202401-02
https://security.netapp.com/advisory/ntap-20210917-0003/
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html