1953057 – (CVE-2021-31597) CVE-2021-31597 xmlhttprequest-ssl: SSL certificate validation disabled by default

Bug 1953057 (CVE-2021-31597) - CVE-2021-31597 xmlhttprequest-ssl: SSL certificate validation disabled by default

Summary: CVE-2021-31597 xmlhttprequest-ssl: SSL certificate validation disabled by def...

Keywords:
Status:	NEW
Alias:	CVE-2021-31597
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1953058
Blocks:	1953059 1997390
TreeView+	depends on / blocked

Reported:	2021-04-23 19:31 UTC by Pedro Sampaio
Modified:	2023-07-07 08:32 UTC (History)
CC List:	8 users (show)
Fixed In Version:	xmlhttprequest-ssl-1.6.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in xmlhttprequest-ssl for Node.js. SSL certificate validation is disabled by default, due to rejectUnauthorized (when the property exists but is undefined) being considered to be false within the https.request function of Node.js (thus, no certificate is ever rejected). The highest threat from this vulnerablity is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2021-04-23 19:31:53 UTC

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

References:

https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt
https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2
https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1

Comment 1 Pedro Sampaio 2021-04-23 19:32:21 UTC

Created nodejs-xmlhttprequest-ssl tracking bugs for this issue:

Affects: fedora-32 [bug 1953058]

Comment 2 Jason Shepherd 2021-04-28 02:44:07 UTC

Statement:

The xmlhttprequest-ssl library is included in Red Hat Quay as a dependency of karma which is only used during testing. The library is not used a runtime reducing the impact of the vulnerability to low for Red Hat Quay.

Note You need to log in before you can comment on or make changes to this bug.