Vulnerability Description
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nodejs | Node.Js | >= 12.0.0, < 12.22.5 |
| Oracle | Graalvm | 20.3.3 |
| Oracle | Jd Edwards Enterpriseone Tools | <= 9.2.6.1 |
| Oracle | Mysql Cluster | <= 8.0.26 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.57 |
| Netapp | Nextgen Api | - |
| Siemens | Sinec Infrastructure Network Services | < 1.0.1.1 |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
- https://hackerone.com/reports/1278254ExploitIssue TrackingThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/10/msg00006.htmlIssue TrackingThird Party Advisory
- https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/PatchVendor Advisory
- https://security.gentoo.org/glsa/202401-02
- https://security.netapp.com/advisory/ntap-20210917-0003/Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
- https://hackerone.com/reports/1278254ExploitIssue TrackingThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/10/msg00006.htmlIssue TrackingThird Party Advisory
- https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/PatchVendor Advisory
- https://security.gentoo.org/glsa/202401-02
- https://security.netapp.com/advisory/ntap-20210917-0003/Third Party Advisory
FAQ
What is CVE-2021-22939?
CVE-2021-22939 is a vulnerability with a CVSS score of 5.3 (MEDIUM). If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would h...
How severe is CVE-2021-22939?
CVE-2021-22939 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-22939?
Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Oracle Graalvm, Oracle Jd Edwards Enterpriseone Tools, Oracle Mysql Cluster, Oracle Peoplesoft Enterprise Peopletools.