Vulnerability Details : CVE-2015-9238
secure-compare 3.0.0 and below do not actually compare two strings properly. compare was actually comparing the first argument with itself, meaning the check passed for any two strings of the same length.
Vulnerability category: Overflow
Products affected by CVE-2015-9238
- cpe:2.3:a:secure-compare_project:secure-compare:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-9238
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 31 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-9238
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2015-9238
-
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.Assigned by: nvd@nist.gov (Primary)
-
The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.Assigned by: support@hackerone.com (Secondary)
References for CVE-2015-9238
-
https://nodesecurity.io/advisories/50
npmThird Party Advisory
-
https://github.com/vdemedes/secure-compare/pull/1
Fix major oopsie by daguej · Pull Request #1 · vadimdemedes/secure-compare · GitHubThird Party Advisory
Jump to