CVE-2021-22939

Description

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

How to fix CVE-2021-22939

To remediate CVE-2021-22939, upgrade the affected package to a fixed version below.

Alpine/nodejs—upgrade to 12.22.5-r0 or later
Bitnami/node—upgrade to 12.22.5 or later
—upgrade to 12.22.5 or later
—upgrade to 12.22.5~dfsg-2~11u1 or later

Is CVE-2021-22939 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 12.22.5-r0
>= 12.0.0, < 12.22.5, >= 14.0.0, < 14.17.5, >= 16.0.0, < 16.6.2
>= 12.0.0, < 12.22.5, >= 14.0.0, < 14.17.5, >= 16.0.0, < 16.6.2
from 0, < 12.22.5~dfsg-2~11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (12)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2021-22939
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-22939
WEBcert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
WEBhackerone.com/reports/1278254
WEB