Bug 1953057 (CVE-2021-31597)
| Summary: | CVE-2021-31597 xmlhttprequest-ssl: SSL certificate validation disabled by default | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | amackenz, amasferr, bdettelb, chazlett, extras-orphan, mkudlej, tjochec, tomckay |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | xmlhttprequest-ssl-1.6.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in xmlhttprequest-ssl for Node.js. SSL certificate validation is disabled by default, due to rejectUnauthorized (when the property exists but is undefined) being considered to be false within the https.request function of Node.js (thus, no certificate is ever rejected). The highest threat from this vulnerablity is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1953058 | ||
| Bug Blocks: | 1953059, 1997390 | ||
|
Description
Pedro Sampaio
2021-04-23 19:31:53 UTC
Created nodejs-xmlhttprequest-ssl tracking bugs for this issue: Affects: fedora-32 [bug 1953058] Statement: The xmlhttprequest-ssl library is included in Red Hat Quay as a dependency of karma which is only used during testing. The library is not used a runtime reducing the impact of the vulnerability to low for Red Hat Quay. |