CVE-2015-8857

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.openwall.com/lists/oss-security/2016/04/20/11	Mailing List Third Party Advisory
http://www.securityfocus.com/bid/96410	Third Party Advisory VDB Entry
https://nodesecurity.io/advisories/39	Exploit Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:uglifyjs_project:uglifyjs:*:*:*:*:*:node.js:*:*

History

28 Oct 2021, 15:05

Type	Values Removed	Values Added
CPE	cpe:2.3:a:lisperator:uglifyjs::::::node.js::*	cpe:2.3:a:uglifyjs_project:uglifyjs::::::node.js::*

Information

Published : 2017-01-23 21:59

Updated : 2023-12-10 12:01

NVD link : CVE-2015-8857

Mitre link : CVE-2015-8857

CVE.ORG link : CVE-2015-8857

JSON object : View

Products Affected

uglifyjs_project

uglifyjs

CWE

CWE-254

7PK - Security Features

{"id": "CVE-2015-8857", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2017-01-23T21:59:00.580", "references": [{"url": "http://www.openwall.com/lists/oss-security/2016/04/20/11", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/96410", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://nodesecurity.io/advisories/39", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-254"}]}], "descriptions": [{"lang": "en", "value": "The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript."}, {"lang": "es", "value": "El paquete uglify-js en versiones anteriores a 2.4.24 para Node.js no tiene en cuenta adecuadamente los valores no booleanos al reescribir las expresiones booleanas, lo que podr\u00edan permitir a atacantes eludir los mecanismos de seguridad o posiblemente tener otro impacto no especificado aprovechando incorrectamente el Javascript reescrito."}], "lastModified": "2021-10-28T15:05:10.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:uglifyjs_project:uglifyjs:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "AC16E931-F5DC-4D04-9C6D-9D86FFA40BE6", "versionEndExcluding": "2.4.24"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}