CVE-2021-22939
MEDIUMNode.js 12.0.0-12.22.4 and 16.0.0-16.6.1 - Improper Certificate Validation
Title source: llmDescription
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
References (9)
Core 9
Core References
Issue Tracking, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202401-02
Patch, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Exploit, Issue Tracking, Third Party Advisory
https://hackerone.com/reports/1278254
Patch, Vendor Advisory
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20210917-0003/
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Scores
CVSS v3
5.3
EPSS
0.0012
EPSS Percentile
31.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-295
Status
published
Products (12)
debian/debian_linux
10.0
netapp/nextgen_api
nodejs/node.js
12.0.0 - 12.22.5
nodejs/node.js
16.0.0 - 16.6.2
oracle/graalvm
20.3.3
oracle/graalvm
21.2.0
oracle/jd_edwards_enterpriseone_tools
< 9.2.6.1
oracle/mysql_cluster
< 8.0.26
oracle/peoplesoft_enterprise_peopletools
8.57
oracle/peoplesoft_enterprise_peopletools
8.58
... and 2 more
Published
Aug 16, 2021
Tracked Since
Feb 18, 2026