{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-06-18T09:06:12", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210618-0004/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-31597", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt", "refsource": "MISC", "url": "https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt"}, {"name": "https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1", "refsource": "MISC", "url": "https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1"}, {"name": "https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2", "refsource": "MISC", "url": "https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2"}, {"name": "https://security.netapp.com/advisory/ntap-20210618-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210618-0004/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:03:33.466Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210618-0004/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-31597", "datePublished": "2021-04-22T23:52:48", "dateReserved": "2021-04-22T00:00:00", "dateUpdated": "2024-08-03T23:03:33.466Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xmlhttprequest-ssl_project:xmlhttprequest-ssl:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FBCD5604-E3C3-47BE-B429-6AAB717E7DB8", "versionEndExcluding": "1.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected."}, {"lang": "es", "value": "El paquete xmlhttprequest-ssl versiones anteriores a 1.6.1 para Node.js deshabilita la comprobaci\u00f3n del certificado SSL por defecto, porque acceptUnauthorized (cuando la propiedad existe pero no est\u00e1 definida) se considera falso dentro de la funci\u00f3n https.request de Node.js. En otras palabras, nunca se rechaza ning\u00fan certificado"}], "id": "CVE-2021-31597", "lastModified": "2024-11-21T06:05:57.877", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-23T00:15:08.283", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2"}, {"source": "cve@mitre.org", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210618-0004/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210618-0004/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "xmlhttprequest-ssl: SSL certificate validation disabled by default", "id": "1953057", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1953057"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "status": "draft"}, "cwe": "CWE-295", "details": ["The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.", "A flaw was found in xmlhttprequest-ssl for Node.js. SSL certificate validation is disabled by default, due to rejectUnauthorized (when the property exists but is undefined) being considered to be false within the https.request function of Node.js (thus, no certificate is ever rejected). The highest threat from this vulnerablity is to data confidentiality and integrity as well as system availability."], "name": "CVE-2021-31597", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Not affected", "package_name": "system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "impact": "low", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2021-04-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-31597\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-31597"], "statement": "The xmlhttprequest-ssl library is included in Red Hat Quay as a dependency of karma which is only used during testing. The library is not used a runtime reducing the impact of the vulnerability to low for Red Hat Quay.", "threat_severity": "Important", "upstream_fix": "xmlhttprequest-ssl 1.6.1"}