GitHub Advisory DatabaseGHSA-34R7-Q49F-H37CIncorrect Handling of Non-Boolean Comparisons During Minification in uglify-js
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
81.7%
Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.
Recommendation
Upgrade UglifyJS to version >= 2.4.24.
Affected configurations
References
www.openwall.com/lists/oss-security/2016/04/20/11
github.com/advisories/GHSA-34r7-q49f-h37c
github.com/lautis/uglifier/commit/4677bfe38142937ff952f95605bcec4618892c3e
github.com/mishoo/UglifyJS2/issues/751
github.com/rubysec/ruby-advisory-db/blob/master/gems/uglifier/CVE-2015-8857.yml
nvd.nist.gov/vuln/detail/CVE-2015-8857
web.archive.org/web/20200227190830/www.securityfocus.com/bid/96410
zyan.scripts.mit.edu/blog/backdooring-js/
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
81.7%