CVE-2021-22939: Input Validation
First published: Wed Aug 11 2021(Updated: )
Node.js could allow a remote attacker to bypass security restrictions. If the https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, an attacker could exploit this vulnerability to connect to servers using an expired certificate.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-nodejs14-nodejs | <0:14.17.5-1.el7 | 0:14.17.5-1.el7 |
| redhat/rh-nodejs12-nodejs | <0:12.22.5-1.el7 | 0:12.22.5-1.el7 |
| redhat/rh-nodejs12-nodejs-nodemon | <0:2.0.3-5.el7 | 0:2.0.3-5.el7 |
| redhat/nodejs | <12.22.5 | 12.22.5 |
| redhat/nodejs | <14.17.5 | 14.17.5 |
| redhat/nodejs | <16.6.2 | 16.6.2 |
| >=12.0.0<12.22.5 | ||
| >=14.0.0<14.17.5 | ||
| >=16.0.0<16.6.2 | ||
| =20.3.3 | ||
| =21.2.0 | ||
| <=9.2.6.1 | ||
| <=8.0.26 | ||
| =8.57 | ||
| =8.58 | ||
| =8.59 | ||
| <1.0.1.1 | ||
| =10.0 | ||
| Nodejs Node.js | >=12.0.0<12.22.5 | |
| Nodejs Node.js | >=14.0.0<14.17.5 | |
| Nodejs Node.js | >=16.0.0<16.6.2 | |
| Oracle GraalVM | =20.3.3 | |
| Oracle GraalVM | =21.2.0 | |
| Oracle Jd Edwards Enterpriseone Tools | <=9.2.6.1 | |
| Oracle MySQL Cluster | <=8.0.26 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
| Netapp Nextgen Api | ||
| Siemens Sinec Infrastructure Network Services | <1.0.1.1 | |
| Debian Debian Linux | =10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/207233
- https://www.ibm.com/support/pages/node/6570957 (Advisory)
- https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
- https://hackerone.com/reports/1278254
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://security.netapp.com/advisory/ntap-20210917-0003/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html
- https://security.gentoo.org/glsa/202401-02
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1993040
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1993041
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1993042
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1993043
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1993044
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1993045
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1993046
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1993047
- https://github.com/nodejs/node/commit/6c7fff6f1d53dfb6c2b184ee41809b8d7614cb80
- https://access.redhat.com/errata/RHSA-2021:3281
- https://access.redhat.com/errata/RHSA-2021:3280
- https://access.redhat.com/security/cve/cve-2021-22939
- https://access.redhat.com/errata/RHSA-2021:3623
- https://access.redhat.com/errata/RHSA-2021:3639
- https://access.redhat.com/errata/RHSA-2021:3638
- https://access.redhat.com/errata/RHSA-2021:3666
- https://bugzilla.redhat.com/show_bug.cgi?id=1993039
- https://www.cve.org/CVERecord?id=CVE-2021-22939 https://nvd.nist.gov/vuln/detail/CVE-2021-22939 https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-22939?
CVE-2021-22939 is a vulnerability in Node.js where if the HTTPS API is used incorrectly and "undefined" is passed for the "rejectUnauthorized" parameter, connections to servers with an expired certificate are accepted.
What is the severity of CVE-2021-22939?
The severity of CVE-2021-22939 is low with a CVSS score of 3.7.
How does CVE-2021-22939 affect Node.js?
CVE-2021-22939 allows connections to servers with an expired certificate to be accepted if the HTTPS API is used incorrectly.
Which versions of Node.js are affected by CVE-2021-22939?
Node.js versions 12.22.5, 14.17.5, and 16.6.2 are affected by CVE-2021-22939.
How do I fix CVE-2021-22939?
To fix CVE-2021-22939, upgrade Node.js to version 12.22.5, 14.17.5, or 16.6.2.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/ibm-support
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-22939
- collector/redhat-cve
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/12.0.0
- version/nodejs node.js/14.0.0
- version/nodejs node.js/16.0.0
- vendor/oracle
- canonical/oracle graalvm
- version/oracle graalvm/20.3.3
- version/oracle graalvm/21.2.0
- canonical/oracle jd edwards enterpriseone tools
- version/oracle jd edwards enterpriseone tools/9.2.6.1
- canonical/oracle mysql cluster
- version/oracle mysql cluster/8.0.26
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.57
- version/oracle peoplesoft enterprise peopletools/8.58
- version/oracle peoplesoft enterprise peopletools/8.59
- vendor/netapp
- canonical/netapp nextgen api
- vendor/siemens
- canonical/siemens sinec infrastructure network services
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- package-manager/redhat