CVE-2021-31597

NameCVE-2021-31597
DescriptionThe xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-xmlhttprequest-ssl (PTS)buster, stretch1.6.0-1vulnerable
sid1.6.0-1.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-xmlhttprequest-sslsource(unstable)(unfixed)

Notes

[buster] - node-xmlhttprequest-ssl <ignored> (Minor issue, should possibly be removed from stable as well)
[stretch] - node-xmlhttprequest-ssl <no-dsa> (Minor issue)
https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2
https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt

Search for package or bug name: Reporting problems