Description

secure-compare 3.0.0 and below do not actually compare two strings properly. compare was actually comparing the first argument with itself, meaning the check passed for any two strings of the same length.

Remediation

References

https://github.com/vdemedes/secure-compare/pull/1

https://nodesecurity.io/advisories/50

Related Vulnerabilities

CVE-2017-2602 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2019-10392 Vulnerability in maven package org.jenkins-ci.plugins:git-client

CVE-2023-40812 Vulnerability in maven package org.opencrx:opencrx-core-models

CVE-2018-14371 Vulnerability in maven package org.glassfish:javax.faces

CVE-2017-4960 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-server

Severity

Medium

Classification

CWE-134 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

Third Party Advisory