If the Node.js https API was used incorrectly and undefined was in passed for the rejectUnauthorized parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
Weakness
The product does not validate, or incorrectly validates, a certificate.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Node.js | Nodejs | 12.0.0 (including) | 12.22.5 (excluding) |
| Node.js | Nodejs | 14.0.0 (including) | 14.17.5 (excluding) |
| Node.js | Nodejs | 16.0.0 (including) | 16.6.2 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | nodejs:12-8040020210817133458.522a0ee4 | * |
| Red Hat Enterprise Linux 8 | RedHat | nodejs:14-8040020210817165654.522a0ee4 | * |
| Red Hat Enterprise Linux 8.1 Extended Update Support | RedHat | nodejs:12-8010020210817113128.c27ad7f8 | * |
| Red Hat Enterprise Linux 8.2 Extended Update Support | RedHat | nodejs:12-8020020210817125332.4cda2c84 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-nodejs14-nodejs-0:14.17.5-1.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-nodejs12-nodejs-0:12.22.5-1.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-nodejs12-nodejs-nodemon-0:2.0.3-5.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | rh-nodejs14-nodejs-0:14.17.5-1.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | rh-nodejs12-nodejs-0:12.22.5-1.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | rh-nodejs12-nodejs-nodemon-0:2.0.3-5.el7 | * |
| Nodejs | Ubuntu | bionic | * |
| Nodejs | Ubuntu | esm-apps/bionic | * |
| Nodejs | Ubuntu | esm-apps/focal | * |
| Nodejs | Ubuntu | esm-apps/xenial | * |
| Nodejs | Ubuntu | focal | * |
| Nodejs | Ubuntu | hirsute | * |
| Nodejs | Ubuntu | impish | * |
| Nodejs | Ubuntu | kinetic | * |
| Nodejs | Ubuntu | trusty | * |
| Nodejs | Ubuntu | trusty/esm | * |
| Nodejs | Ubuntu | upstream | * |
| Nodejs | Ubuntu | xenial | * |
Potential Mitigations
Related Attack Patterns
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://hackerone.com/reports/1278254
- https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html
- https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
- https://security.gentoo.org/glsa/202401-02
- https://security.netapp.com/advisory/ntap-20210917-0003/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://hackerone.com/reports/1278254
- https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html
- https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
- https://security.gentoo.org/glsa/202401-02
- https://security.netapp.com/advisory/ntap-20210917-0003/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html