CVE-2021-22939: Input Validation

Published Aug 11, 2021
·
Updated

A flaw was found in Node.js. If the Node.js HTTPS API is used incorrectly and "undefined" is passed for the "rejectUnauthorized" parameter, no error is returned, and the connections to servers with an expired certificate are accepted. The highest threat from this vulnerability is to integrity.

Other sources

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

Node.js could allow a remote attacker to bypass security restrictions. If the https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, an attacker could exploit this vulnerability to connect to servers using an expired certificate.

IBM

Affected Software

20 affected componentsFixes available
redhat/rh-nodejs14-nodejs<0:14.17.5-1.el7
0:14.17.5-1.el7
redhat/rh-nodejs12-nodejs<0:12.22.5-1.el7
0:12.22.5-1.el7
redhat/rh-nodejs12-nodejs-nodemon<0:2.0.3-5.el7
0:2.0.3-5.el7
redhat/nodejs<12.22.5
12.22.5
redhat/nodejs<14.17.5
14.17.5
redhat/nodejs<16.6.2
16.6.2
IBM Cognos Controller<=11.0.0 - 11.0.1
Nodejs Node.js>=12.0.0<12.22.5
Nodejs Node.js>=14.0.0<14.17.5
Nodejs Node.js>=16.0.0<16.6.2
Oracle GraalVM=20.3.3
Oracle GraalVM=21.2.0
Oracle JD Edwards EnterpriseOne Tools<=9.2.6.1
Oracle MySQL Cluster<=8.0.26
Oracle PeopleSoft Enterprise PeopleTools=8.57
Oracle PeopleSoft Enterprise PeopleTools=8.58
Oracle PeopleSoft Enterprise PeopleTools=8.59
NetApp Nextgen Api
Siemens Sinec Infrastructure Network Services<1.0.1.1
Debian Debian Linux=10.0

Remediation

Patch Available

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Patch Available

https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/

Patch Available

https://www.oracle.com/security-alerts/cpujan2022.html

Patch Available

https://www.oracle.com/security-alerts/cpujul2022.html

Patch Available

https://www.oracle.com/security-alerts/cpuoct2021.html

Event History

Aug 11, 2021
CVE Published
12:00 AM
Aug 16, 2021
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionWeakness

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2021-22939?

CVE-2021-22939 is a vulnerability in Node.js where if the HTTPS API is used incorrectly and "undefined" is passed for the "rejectUnauthorized" parameter, connections to servers with an expired certificate are accepted.

2

What is the severity of CVE-2021-22939?

The severity of CVE-2021-22939 is low with a CVSS score of 3.7.

3

How does CVE-2021-22939 affect Node.js?

CVE-2021-22939 allows connections to servers with an expired certificate to be accepted if the HTTPS API is used incorrectly.

4

Which versions of Node.js are affected by CVE-2021-22939?

Node.js versions 12.22.5, 14.17.5, and 16.6.2 are affected by CVE-2021-22939.

5

How do I fix CVE-2021-22939?

To fix CVE-2021-22939, upgrade Node.js to version 12.22.5, 14.17.5, or 16.6.2.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203