CVE Vulnerabilities

CVE-2021-31597

Improper Certificate Validation

Published: Apr 23, 2021 | Modified: Dec 08, 2021
CVSS 3.x
9.4
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
9.4 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Ubuntu
MEDIUM

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name Vendor Start Version End Version
Xmlhttprequest-ssl Xmlhttprequest-ssl_project * 1.6.1 (excluding)
Node-xmlhttprequest-ssl Ubuntu bionic *
Node-xmlhttprequest-ssl Ubuntu groovy *
Node-xmlhttprequest-ssl Ubuntu hirsute *
Node-xmlhttprequest-ssl Ubuntu trusty *

Potential Mitigations

References