---

CVE-2021-22939 - log back

CVE-2021-22939 edited at 12 Aug 2021 07:33:24

References

https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#incomplete-validation-of-rejectunauthorized-parameter-low-cve-2021-22939 + https://hackerone.com/reports/1278254 + https://github.com/nodejs-private/node-private/pull/276 + https://github.com/nodejs/node/commit/6c7fff6f1d53dfb6c2b184ee41809b8d7614cb80 + https://github.com/nodejs/node/commit/35b86110e45083a75d7dc8e6be5a930b262494f6 + https://github.com/nodejs/node/commit/1780bbc3291357f7c3370892eb311fc7a62afe8d

CVE-2021-22939 edited at 12 Aug 2021 07:09:00
Severity	- Unknown + Low
Remote	- Unknown + Remote
Type	- Unknown + Certificate verification bypass
Description	+ If the Node.js https API in versions before 16.6.2, 14.17.5 and 12.22.5 was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
References	+ https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#incomplete-validation-of-rejectunauthorized-parameter-low-cve-2021-22939
Notes

CVE-2021-22939 created at 12 Aug 2021 07:06:06