CVE-2021-22939 log

Source
Severity Low
Remote Yes
Type Certificate verification bypass
Description
If the Node.js https API in versions before 16.6.2, 14.17.5 and 12.22.5 was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
Group Package Affected Fixed Severity Status Ticket
AVG-2285 nodejs-lts-erbium 12.22.4-2 12.22.7-1 High Fixed FS#72412
AVG-2284 nodejs-lts-fermium 14.17.4-1 14.18.1-1 High Fixed FS#72413
AVG-2283 nodejs 16.6.1-1 16.6.2-1 High Fixed
Date Advisory Group Package Severity Type
21 Oct 2021 ASA-202110-6 AVG-2285 nodejs-lts-erbium High multiple issues
21 Oct 2021 ASA-202110-5 AVG-2284 nodejs-lts-fermium High multiple issues
References
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#incomplete-validation-of-rejectunauthorized-parameter-low-cve-2021-22939
https://hackerone.com/reports/1278254
https://github.com/nodejs-private/node-private/pull/276
https://github.com/nodejs/node/commit/6c7fff6f1d53dfb6c2b184ee41809b8d7614cb80
https://github.com/nodejs/node/commit/35b86110e45083a75d7dc8e6be5a930b262494f6
https://github.com/nodejs/node/commit/1780bbc3291357f7c3370892eb311fc7a62afe8d