CVE-2021-22939

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

Published: Aug 16, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-22939
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-295

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
nodejs / node.js	12.0.0	12.22.5
nodejs / node.js	14.0.0	14.17.5
nodejs / node.js	16.0.0	16.6.2
oracle / peoplesoft_enterprise_peopletools	8.57	8.57.x
oracle / peoplesoft_enterprise_peopletools	8.58	8.58.x
oracle / peoplesoft_enterprise_peopletools	8.59	8.59.x
oracle / graalvm	20.3.3	20.3.3.x
oracle / graalvm	21.2.0	21.2.0.x
oracle / mysql_cluster	-	8.0.26.x
oracle / jd_edwards_enterpriseone_tools	-	9.2.6.1.x
siemens / sinec_infrastructure_network_services	-	1.0.1.1
debian / debian_linux	10.0	10.0.x

Vulnerability Database

289,599

CVE-2021-22939