Insecure Credential Comparison
Affecting safe-compare package, versions >=1.1.0 <1.1.2
Report new vulnerabilities
Do your applications use this vulnerable package?
Test your applications
Overview
safe-compare
is a constant-time comparison algorithm to prevent timing attacks..
Affected versions of the package are vulnerable to Insecure Credential Comparison. It used the bufferAlloc
constructor incorrectly, which caused the password string to be "padded" with itself. This means that the passwords "a"
and "aaaaaaaaaaaaa"
would be equal.
Remediation
Upgrade safe-compare
to version 1.1.2 or higher.
References
CVSS Score
6.5
medium severity
-
Attack VectorNetwork
-
Attack ComplexityHigh
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityHigh
-
AvailabilityNone
- Credit
- Snyk Security Research Team
- CWE
- CWE-522
- Snyk ID
- npm:safe-compare:20180417
- Disclosed
- 21 Feb, 2018
- Published
- 17 Apr, 2018