gsd-2015-8857
Vulnerability from gsd
Modified
2015-07-21 00:00
Details
The upstream library for the Ruby uglifier gem, UglifyJS, is affected by a vulnerability that allows a specially crafted Javascript file to have altered functionality after minification. This bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated to allow potentially malicious code to be hidden within secure code, and activated by the minification process. For more information, consult: * https://zyan.scripts.mit.edu/blog/backdooring-js * CWE: 254 - 7PK - Security Features
Aliases
Aliases
CVE-2015-8857


To clipboard 

{
  "GSD": {
    "alias": "CVE-2015-8857",
    "description": "The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.",
    "id": "GSD-2015-8857",
    "references": [
      "https://www.suse.com/security/cve/CVE-2015-8857.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "uglifier",
            "purl": "pkg:gem/uglifier"
          }
        }
      ],
      "aliases": [
        "CVE-2015-8857",
        "OSVDB-126747",
        "GHSA-34r7-q49f-h37c"
      ],
      "details": "\nThe upstream library for the Ruby uglifier gem, UglifyJS, is\naffected by a vulnerability that allows a specially crafted\nJavascript file to have altered functionality after minification.\n\nThis bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated\nto allow potentially malicious code to be hidden within secure code,\nand activated by the minification process.\n\nFor more information, consult:\n* https://zyan.scripts.mit.edu/blog/backdooring-js\n\n* CWE: 254 - 7PK - Security Features\n",
      "id": "GSD-2015-8857",
      "modified": "2015-07-21T00:00:00.000Z",
      "published": "2015-07-21T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/mishoo/UglifyJS2/issues/751"
        },
        {
          "type": "WEB",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8857"
        },
        {
          "type": "WEB",
          "url": "https://github.com/mishoo/UglifyJS/issues/751"
        },
        {
          "type": "WEB",
          "url": "https://blog.azuki.vip/backdooring-js"
        },
        {
          "type": "WEB",
          "url": "https://www.openwall.com/lists/oss-security/2016/04/20/11"
        },
        {
          "type": "WEB",
          "url": "https://github.com/advisories/GHSA-34r7-q49f-h37c"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 7.5,
          "type": "CVSS_V2"
        },
        {
          "score": 9.8,
          "type": "CVSS_V3"
        }
      ],
      "summary": "uglifier incorrectly handles non-boolean comparisons during minification"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2015-8857",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "96410",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/96410"
          },
          {
            "name": "https://nodesecurity.io/advisories/39",
            "refsource": "CONFIRM",
            "url": "https://nodesecurity.io/advisories/39"
          },
          {
            "name": "[oss-security] 20160420 various vulnerabilities in Node.js packages",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2015-8857",
      "cvss_v2": 7.5,
      "cvss_v3": 9.8,
      "date": "2015-07-21",
      "description": "\nThe upstream library for the Ruby uglifier gem, UglifyJS, is\naffected by a vulnerability that allows a specially crafted\nJavascript file to have altered functionality after minification.\n\nThis bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated\nto allow potentially malicious code to be hidden within secure code,\nand activated by the minification process.\n\nFor more information, consult:\n* https://zyan.scripts.mit.edu/blog/backdooring-js\n\n* CWE: 254 - 7PK - Security Features\n",
      "gem": "uglifier",
      "ghsa": "34r7-q49f-h37c",
      "osvdb": 126747,
      "patched_versions": [
        "\u003e= 2.7.2"
      ],
      "related": {
        "url": [
          "https://nvd.nist.gov/vuln/detail/CVE-2015-8857",
          "https://github.com/mishoo/UglifyJS/issues/751",
          "https://blog.azuki.vip/backdooring-js",
          "https://www.openwall.com/lists/oss-security/2016/04/20/11",
          "https://github.com/advisories/GHSA-34r7-q49f-h37c"
        ]
      },
      "title": "uglifier incorrectly handles non-boolean comparisons during minification",
      "url": "https://github.com/mishoo/UglifyJS2/issues/751"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.7.2",
          "affected_versions": "All versions before 2.7.2",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-254",
            "CWE-937"
          ],
          "date": "2023-03-27",
          "description": "The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.",
          "fixed_versions": [
            "2.7.2"
          ],
          "identifier": "CVE-2015-8857",
          "identifiers": [
            "GHSA-34r7-q49f-h37c",
            "CVE-2015-8857"
          ],
          "not_impacted": "All versions starting from 2.7.2",
          "package_slug": "gem/uglifier",
          "pubdate": "2017-10-24",
          "solution": "Upgrade to version 2.7.2 or above.",
          "title": "Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2015-8857",
            "https://github.com/mishoo/UglifyJS2/issues/751",
            "https://zyan.scripts.mit.edu/blog/backdooring-js/",
            "http://www.openwall.com/lists/oss-security/2016/04/20/11",
            "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uglifier/CVE-2015-8857.yml",
            "https://web.archive.org/web/20200227190830/http://www.securityfocus.com/bid/96410",
            "https://github.com/lautis/uglifier/commit/4677bfe38142937ff952f95605bcec4618892c3e",
            "https://github.com/advisories/GHSA-34r7-q49f-h37c"
          ],
          "uuid": "1194a94c-0a0b-4e24-86ed-47bfa4c1233d"
        },
        {
          "affected_range": "\u003c2.4.24",
          "affected_versions": "All versions before 2.4.24",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-254",
            "CWE-937"
          ],
          "date": "2021-10-29",
          "description": "The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.",
          "fixed_versions": [
            "2.4.24"
          ],
          "identifier": "CVE-2015-8857",
          "identifiers": [
            "GHSA-34r7-q49f-h37c",
            "CVE-2015-8857"
          ],
          "not_impacted": "All versions starting from 2.4.24",
          "package_slug": "npm/uglify-js",
          "pubdate": "2017-10-24",
          "solution": "Upgrade to version 2.4.24 or above.",
          "title": "Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2015-8857",
            "https://github.com/mishoo/UglifyJS2/issues/751",
            "https://github.com/advisories/GHSA-34r7-q49f-h37c",
            "https://www.npmjs.com/advisories/39",
            "https://zyan.scripts.mit.edu/blog/backdooring-js/",
            "https://nodesecurity.io/advisories/39",
            "http://www.openwall.com/lists/oss-security/2016/04/20/11",
            "http://www.securityfocus.com/bid/96410"
          ],
          "uuid": "61e418d9-8b84-425a-bb44-88fd81a505f3"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:uglifyjs_project:uglifyjs:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.4.24",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-8857"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-254"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://nodesecurity.io/advisories/39",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://nodesecurity.io/advisories/39"
            },
            {
              "name": "[oss-security] 20160420 various vulnerabilities in Node.js packages",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11"
            },
            {
              "name": "96410",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/96410"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-10-28T15:05Z",
      "publishedDate": "2017-01-23T21:59Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.