Bug 1993039 (CVE-2021-22939)
Summary: | CVE-2021-22939 nodejs: Incomplete validation of tls rejectUnauthorized parameter | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bdettelb, caswilli, fjansen, hhorak, jnakfour, jorton, jstanek, kaycoth, mrunge, nodejs-maint, nodejs-sig, sgallagh, tchollingsworth, thrcka, tomckay, zsvetlik |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | nodejs 12.22.5, nodejs 14.17.5, nodejs 16.6.2 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Node.js. If the Node.js HTTPS API is used incorrectly and "undefined" is passed for the "rejectUnauthorized" parameter, no error is returned, and the connections to servers with an expired certificate are accepted. The highest threat from this vulnerability is to integrity.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-08-26 15:35:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1993040, 1993041, 1993042, 1993043, 1993044, 1993045, 1993046, 1993047, 1993808, 1993809, 1993810, 1993811, 1993812, 1993813, 1993963, 1993966, 1993989, 1993990, 1993991, 1993998 | ||
Bug Blocks: | 1993049 |
Description
Dhananjay Arunesh
2021-08-12 09:53:28 UTC
Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 1993040] Affects: fedora-all [bug 1993041] Created nodejs:10/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993042] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993043] Created nodejs:13/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993044] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993045] Created nodejs:15/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993046] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993047] Upstream commit: https://github.com/nodejs/node/commit/6c7fff6f1d53dfb6c2b184ee41809b8d7614cb80 It links the following hackerone report, which has not been made public yet: https://hackerone.com/reports/1278254 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22939 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3623 https://access.redhat.com/errata/RHSA-2021:3623 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3666 https://access.redhat.com/errata/RHSA-2021:3666 |