Lucene search

[email protected]CVE-2021-22939

HistoryAug 16, 2021 - 7:15 p.m.

CVE-2021-22939

2021-08-1619:15:13

CWE-295

[email protected]

web.nvd.nist.gov

222

node.js

api

security

cve-2021-22939

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

7.4

Confidence

Low

EPSS

0.011

Percentile

84.5%

JSON

If the Node.js https API was used incorrectly and “undefined” was in passed for the “rejectUnauthorized” parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

Affected configurations

NVD

Node

nodejsnode.jsRange12.0.0–12.22.5lts

nodejsnode.jsRange14.0.0–14.17.5lts

nodejsnode.jsRange16.0.0–16.6.2-

Node

oraclegraalvmMatch20.3.3enterprise

oraclegraalvmMatch21.2.0enterprise

oraclejd_edwards_enterpriseone_toolsRange≤9.2.6.1

oraclemysql_clusterRange≤8.0.26

oraclepeoplesoft_enterprise_peopletoolsMatch8.57

oraclepeoplesoft_enterprise_peopletoolsMatch8.58

oraclepeoplesoft_enterprise_peopletoolsMatch8.59

Node

netappnextgen_apiMatch-

Node

siemenssinec_infrastructure_network_servicesRange<1.0.1.1

Node

debiandebian_linuxMatch10.0

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "https://github.com/nodejs/node",
    "versions": [
      {
        "version": "Fixed version 16.6.2, 14.17.5, and 12.22.5",
        "status": "affected"
      }
    ]
  }
]