{"api_version":"1","generated_at":"2026-04-22T20:52:16+00:00","cve":"CVE-2021-22939","urls":{"html":"https://cve.report/CVE-2021-22939","api":"https://cve.report/api/cve/CVE-2021-22939.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-22939","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-22939"},"summary":{"title":"CVE-2021-22939","description":"If the Node.js https API was used incorrectly and \"undefined\" was in passed for the \"rejectUnauthorized\" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.","state":"PUBLIC","assigner":"support@hackerone.com","published_at":"2021-08-16 19:15:00","updated_at":"2024-01-05 10:15:00"},"problem_types":["CWE-295"],"metrics":[],"references":[{"url":"https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/","name":"https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/","refsource":"MISC","tags":[],"title":"August 2021 Security Releases | Node.js","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20210917-0003/","name":"https://security.netapp.com/advisory/ntap-20210917-0003/","refsource":"CONFIRM","tags":[],"title":"CVE-2021-22939 Node.js Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.oracle.com/security-alerts/cpuoct2021.html","name":"https://www.oracle.com/security-alerts/cpuoct2021.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - October 2021","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202401-02","name":"GLSA-202401-02","refsource":"","tags":[],"title":"","mime":"","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/security-alerts/cpujan2022.html","name":"https://www.oracle.com/security-alerts/cpujan2022.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - January 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html","name":"[debian-lts-announce] 20221005 [SECURITY] [DLA 3137-1] nodejs security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3137-1] nodejs security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://hackerone.com/reports/1278254","name":"https://hackerone.com/reports/1278254","refsource":"MISC","tags":[],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf","name":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf","refsource":"CONFIRM","tags":[],"title":"","mime":"application/pdf","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","name":"N/A","refsource":"N/A","tags":[],"title":"Oracle Critical Patch Update Advisory - July 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-22939","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22939","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"22939","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"22939","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"nextgen_api","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"22939","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"22939","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"22939","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"graalvm","cpe6":"20.3.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"22939","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"graalvm","cpe6":"21.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"22939","vulnerable":"1","versionEndIncluding":"9.2.6.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jd_edwards_enterpriseone_tools","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"22939","vulnerable":"1","versionEndIncluding":"8.0.26","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"mysql_cluster","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"22939","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"peoplesoft_enterprise_peopletools","cpe6":"8.57","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"22939","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"peoplesoft_enterprise_peopletools","cpe6":"8.58","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"22939","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"peoplesoft_enterprise_peopletools","cpe6":"8.59","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"22939","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"siemens","cpe5":"sinec_infrastructure_network_services","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-22939","qid":"159398","title":"Oracle Enterprise Linux Security Update for nodejs:12 (ELSA-2021-3623)"},{"cve":"CVE-2021-22939","qid":"159408","title":"Oracle Enterprise Linux Security Update for nodejs:14 (ELSA-2021-3666)"},{"cve":"CVE-2021-22939","qid":"180328","title":"Debian Security Update for nodejs (CVE-2021-22939)"},{"cve":"CVE-2021-22939","qid":"181111","title":"Debian Security Update for nodejs (DLA 3137-1)"},{"cve":"CVE-2021-22939","qid":"239590","title":"Red Hat Update for rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon (RHSA-2021:3281)"},{"cve":"CVE-2021-22939","qid":"239591","title":"Red Hat Update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2021:3280)"},{"cve":"CVE-2021-22939","qid":"239645","title":"Red Hat Update for nodejs:12 (RHSA-2021:3623)"},{"cve":"CVE-2021-22939","qid":"239654","title":"Red Hat Update for nodejs:12 (RHSA-2021:3639)"},{"cve":"CVE-2021-22939","qid":"239655","title":"Red Hat Update for nodejs:12 (RHSA-2021:3638)"},{"cve":"CVE-2021-22939","qid":"239658","title":"Red Hat Update for nodejs:14 (RHSA-2021:3666)"},{"cve":"CVE-2021-22939","qid":"375786","title":"Node.js Remote Code Execution Vulnerability Aug 2021"},{"cve":"CVE-2021-22939","qid":"375877","title":"Kibana Multiple Security Vulnerabilities (ESA-2021-21, ESA-2021-22, ESA-2021-24)"},{"cve":"CVE-2021-22939","qid":"376257","title":"Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUJAN2022)"},{"cve":"CVE-2021-22939","qid":"377157","title":"Alibaba Cloud Linux Security Update for nodejs:14 (ALINUX3-SA-2021:0072)"},{"cve":"CVE-2021-22939","qid":"500444","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2021-22939","qid":"501453","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2021-22939","qid":"501884","title":"Alpine Linux Security Update for nodejs-current"},{"cve":"CVE-2021-22939","qid":"502123","title":"Alpine Linux Security Update for nodejs-current"},{"cve":"CVE-2021-22939","qid":"504207","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2021-22939","qid":"505102","title":"Alpine Linux Security Update for nodejs-current"},{"cve":"CVE-2021-22939","qid":"690032","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for node.js (b092bd4f-1b16-11ec-9d9d-0022489ad614)"},{"cve":"CVE-2021-22939","qid":"710820","title":"Gentoo Linux c-ares Multiple Vulnerabilities (GLSA 202401-02)"},{"cve":"CVE-2021-22939","qid":"751061","title":"OpenSUSE Security Update for nodejs12 (openSUSE-SU-2021:2875-1)"},{"cve":"CVE-2021-22939","qid":"751071","title":"OpenSUSE Security Update for nodejs12 (openSUSE-SU-2021:1214-1)"},{"cve":"CVE-2021-22939","qid":"751093","title":"OpenSUSE Security Update for nodejs10 (openSUSE-SU-2021:2953-1)"},{"cve":"CVE-2021-22939","qid":"751112","title":"OpenSUSE Security Update for nodejs10 (openSUSE-SU-2021:1239-1)"},{"cve":"CVE-2021-22939","qid":"751171","title":"OpenSUSE Security Update for nodejs14 (openSUSE-SU-2021:3211-1)"},{"cve":"CVE-2021-22939","qid":"751178","title":"OpenSUSE Security Update for nodejs14 (openSUSE-SU-2021:1313-1)"},{"cve":"CVE-2021-22939","qid":"900315","title":"CBL-Mariner Linux Security Update for nodejs 14.17.2"},{"cve":"CVE-2021-22939","qid":"901895","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (6744-1)"},{"cve":"CVE-2021-22939","qid":"903525","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (5423)"},{"cve":"CVE-2021-22939","qid":"940217","title":"AlmaLinux Security Update for nodejs:12 (ALSA-2021:3623)"},{"cve":"CVE-2021-22939","qid":"940388","title":"AlmaLinux Security Update for nodejs:14 (ALSA-2021:3666)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-22939","ASSIGNER":"support@hackerone.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"https://github.com/nodejs/node","version":{"version_data":[{"version_value":"Fixed version 16.6.2, 14.17.5, and 12.22.5"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Improper Certificate Validation (CWE-295)"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/","url":"https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/"},{"refsource":"MISC","name":"https://hackerone.com/reports/1278254","url":"https://hackerone.com/reports/1278254"},{"url":"https://www.oracle.com/security-alerts/cpuoct2021.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20210917-0003/","url":"https://security.netapp.com/advisory/ntap-20210917-0003/"},{"url":"https://www.oracle.com/security-alerts/cpujan2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"refsource":"CONFIRM","name":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20221005 [SECURITY] [DLA 3137-1] nodejs security update","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html"}]},"description":{"description_data":[{"lang":"eng","value":"If the Node.js https API was used incorrectly and \"undefined\" was in passed for the \"rejectUnauthorized\" parameter, no error was returned and connections to servers with an expired certificate would have been accepted."}]}},"nvd":{"publishedDate":"2021-08-16 19:15:00","lastModifiedDate":"2024-01-05 10:15:00","problem_types":["CWE-295"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*","versionStartIncluding":"12.0.0","versionEndExcluding":"12.22.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*","versionStartIncluding":"14.0.0","versionEndExcluding":"14.17.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"16.0.0","versionEndExcluding":"16.6.2","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*","versionEndIncluding":"8.0.26","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*","versionEndIncluding":"9.2.6.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:nextgen_api:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*","versionEndExcluding":"1.0.1.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"22939","Ordinal":"197672","Title":"CVE-2021-22939","CVE":"CVE-2021-22939","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"22939","Ordinal":"1","NoteData":"If the Node.js https API was used incorrectly and \"undefined\" was in passed for the \"rejectUnauthorized\" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"22939","Ordinal":"2","NoteData":"2021-08-16","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"22939","Ordinal":"3","NoteData":"2022-02-07","Type":"Other","Title":"Modified"}]}}}