Insecure Credential Comparison

Affecting safe-compare package, versions >=1.1.0 <1.1.2

Overview

safe-compare is a constant-time comparison algorithm to prevent timing attacks..

Affected versions of the package are vulnerable to Insecure Credential Comparison. It used the bufferAlloc constructor incorrectly, which caused the password string to be "padded" with itself. This means that the passwords "a" and "aaaaaaaaaaaaa" would be equal.

Remediation

Upgrade safe-compare to version 1.1.2 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

6.5
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    High
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Credit
Snyk Security Research Team
CWE
CWE-522
Snyk ID
npm:safe-compare:20180417
Disclosed
21 Feb, 2018
Published
17 Apr, 2018