CVE-2021-31597

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-31597

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31597.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-31597

Aliases

GHSA-72mh-269x-7mh5

Related

UBUNTU-CVE-2021-31597

Published

2021-04-23T00:15:08Z

Modified

2025-01-15T01:53:10.638061Z

Severity

9.4 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVSS Calculator

Summary

[none]

Details

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

References

Affected packages

Git / github.com/mjwwit/node-xmlhttprequest

Affected ranges

Type: GIT
Repo: https://github.com/mjwwit/node-xmlhttprequest
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2

Fixed

bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2

Affected versions

1.*

1.3.0

1.4.0

1.4.1

1.4.2

1.5.0

1.5.1

1.5.2

1.5.4

1.5.5

v1.*

v1.6.0