Description

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

Remediation

References

https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2

https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1

https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt

https://security.netapp.com/advisory/ntap-20210618-0004/

Related Vulnerabilities

CVE-2014-2058 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-29253 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2022-23541 Vulnerability in npm package jsonwebtoken

CVE-2022-24433 Vulnerability in npm package simple-git

CVE-2023-25767 Vulnerability in maven package org.jenkins-ci.plugins:azure-credentials

Severity

Critical

Classification

CWE-295 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Tags

Patch Third Party Advisory Release Notes Exploit