Insecure Credential Comparison

Affecting safe-compare package, versions >=1.1.0 <1.1.2

medium severity

Overview

safe-compare is a constant-time comparison algorithm to prevent timing attacks..

Affected versions of the package are vulnerable to Insecure Credential Comparison. It used the bufferAlloc constructor incorrectly, which caused the password string to be "padded" with itself. This means that the passwords "a" and "aaaaaaaaaaaaa" would be equal.

Remediation

Upgrade safe-compare to version 1.1.2 or higher.

References

Do your applications use this vulnerable package?

Credit
Snyk Security Research Team
CWE
CWE-522
Snyk ID
npm:safe-compare:20180417
Disclosed
21 Feb, 2018
Published
17 Apr, 2018