CVE-2021-22939 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Low
Remote	Yes
Type	Certificate verification bypass
Description	If the Node.js https API in versions before 16.6.2, 14.17.5 and 12.22.5 was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2285	nodejs-lts-erbium	12.22.4-2	12.22.7-1	High	Fixed	FS#72412
AVG-2284	nodejs-lts-fermium	14.17.4-1	14.18.1-1	High	Fixed	FS#72413
AVG-2283	nodejs	16.6.1-1	16.6.2-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
21 Oct 2021	ASA-202110-6	AVG-2285	nodejs-lts-erbium	High	multiple issues
21 Oct 2021	ASA-202110-5	AVG-2284	nodejs-lts-fermium	High	multiple issues

References
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#incomplete-validation-of-rejectunauthorized-parameter-low-cve-2021-22939 https://hackerone.com/reports/1278254 https://github.com/nodejs-private/node-private/pull/276 https://github.com/nodejs/node/commit/6c7fff6f1d53dfb6c2b184ee41809b8d7614cb80 https://github.com/nodejs/node/commit/35b86110e45083a75d7dc8e6be5a930b262494f6 https://github.com/nodejs/node/commit/1780bbc3291357f7c3370892eb311fc7a62afe8d

References

https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#incomplete-validation-of-rejectunauthorized-parameter-low-cve-2021-22939
https://hackerone.com/reports/1278254
https://github.com/nodejs-private/node-private/pull/276
https://github.com/nodejs/node/commit/6c7fff6f1d53dfb6c2b184ee41809b8d7614cb80
https://github.com/nodejs/node/commit/35b86110e45083a75d7dc8e6be5a930b262494f6
https://github.com/nodejs/node/commit/1780bbc3291357f7c3370892eb311fc7a62afe8d