CVE-2021-22939

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:netapp:nextgen_api:-:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*

Configuration 5 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

05 Jan 2024, 10:15

Type Values Removed Values Added
References
  • () https://security.gentoo.org/glsa/202401-02 -

07 Nov 2022, 18:32

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
References (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory
References (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html - (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html - Issue Tracking, Third Party Advisory
First Time Debian debian Linux
Debian
Oracle jd Edwards Enterpriseone Tools

06 Oct 2022, 20:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html -

25 Jul 2022, 18:15

Type Values Removed Values Added
References
  • (N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

06 Apr 2022, 14:13

Type Values Removed Values Added
CPE cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
First Time Siemens sinec Infrastructure Network Services
Siemens
References (MISC) https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/ - Vendor Advisory (MISC) https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/ - Patch, Vendor Advisory
References (MISC) https://hackerone.com/reports/1278254 - Permissions Required, Third Party Advisory (MISC) https://hackerone.com/reports/1278254 - Exploit, Issue Tracking, Third Party Advisory
References (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - Patch, Third Party Advisory

10 Mar 2022, 17:41

Type Values Removed Values Added
References
  • (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf -

04 Mar 2022, 18:44

Type Values Removed Values Added
References (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory
CPE cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
First Time Oracle peoplesoft Enterprise Peopletools

07 Feb 2022, 16:15

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpujan2022.html -

07 Dec 2021, 19:51

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*
cpe:2.3:a:netapp:nextgen_api:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*
References (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory
References (CONFIRM) https://security.netapp.com/advisory/ntap-20210917-0003/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20210917-0003/ - Third Party Advisory

20 Oct 2021, 11:16

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -

17 Sep 2021, 22:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20210917-0003/ -

24 Aug 2021, 17:09

Type Values Removed Values Added
References (MISC) https://hackerone.com/reports/1278254 - (MISC) https://hackerone.com/reports/1278254 - Permissions Required, Third Party Advisory
References (MISC) https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/ - (MISC) https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/ - Vendor Advisory
CPE cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 5.0
v3 : 5.3
CWE CWE-295

16 Aug 2021, 19:16

Type Values Removed Values Added
New CVE

Information

Published : 2021-08-16 19:15

Updated : 2024-01-05 10:15


NVD link : CVE-2021-22939

Mitre link : CVE-2021-22939

CVE.ORG link : CVE-2021-22939


JSON object : View

Products Affected

debian

  • debian_linux

oracle

  • graalvm
  • mysql_cluster
  • jd_edwards_enterpriseone_tools
  • peoplesoft_enterprise_peopletools

netapp

  • nextgen_api

nodejs

  • node.js

siemens

  • sinec_infrastructure_network_services
CWE
CWE-295

Improper Certificate Validation