CVE-2020-7689 : Data is truncated wrong when its length is greater than 255 bytes.

Data is truncated wrong when its length is greater than 255 bytes.

Published 2020-07-01 14:15:15

Updated 2021-07-21 11:39:24

Source Snyk

View at NVD, CVE.org

Vulnerability category: Overflow

Products affected by CVE-2020-7689

Node.bcrypt.js Project » Node.bcrypt.js » For Node.js
Versions before (<) 5.0.0
cpe:2.3:a:node.bcrypt.js_project:node.bcrypt.js:*:*:*:*:*:node.js:*:*
Matching versions

EPSS FAQ

0.15%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 32 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N	2.2	3.6	Snyk
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE-190 Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Assigned by: nvd@nist.gov (Primary)
CWE-327 Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.

Assigned by: nvd@nist.gov (Primary)

https://github.com/kelektiv/node.bcrypt.js/pull/807

Pass key_len to bcrypt(). Fix for issues kelektiv#774, kelektiv#776 by techhead · Pull Request #807 · kelektiv/node.bcrypt.js · GitHub
Patch;Third Party Advisory
https://snyk.io/vuln/SNYK-JS-BCRYPT-572911

Insecure Encryption in bcrypt | Snyk
Third Party Advisory
https://github.com/kelektiv/node.bcrypt.js/issues/776

Some compatibility issue with emoji · Issue #776 · kelektiv/node.bcrypt.js · GitHub
Third Party Advisory
https://github.com/kelektiv/node.bcrypt.js/pull/806

Fix overflow bug. See issue #776 by techhead · Pull Request #806 · kelektiv/node.bcrypt.js · GitHub
Patch;Third Party Advisory

Jump to