Home > Vulnerability Database > CVE-2021-31597

Mend.io Vulnerability Database

CVE-2021-31597

Good to know:

Date: April 22, 2021

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

Language: JS

Severity Score

9.4

Related Resources (8)

Url: https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2

Url: https://security.netapp.com/advisory/ntap-20210618-0004/

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2021-31597

Url: https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-31597

Url: https://security-tracker.debian.org/tracker/CVE-2021-31597

Url: https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt

Url: https://www.mend.io/vulnerability-database/CVE-2021-31597

Severity Score

9.4

Weakness Type (CWE)

Improper Certificate Validation

CWE-295

Top Fix

Upgrade Version

Upgrade to version xmlhttprequest-ssl - 1.6.1

Learn More

CVSS v3.1

Base Score:	9.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	LOW

CVSS v2

Base Score:	7.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-31597

Good to know:

Date: April 22, 2021

Language: JS

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?