CVE-2026-31839 (GCVE-0-2026-31839)

Vulnerability from cvelistv5 – Published: 2026-03-11 16:46 – Updated: 2026-03-11 17:07
VLAI
Title
Striae has a hash validation utility vulnerability
Summary
Striae is a firearms examiner's comparison companion. A high-severity integrity bypass vulnerability existed in Striae's digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered confirmation packages to pass integrity checks. This vulnerability is fixed in 3.0.0.
Severity
8.2 (High)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-354 - Improper Validation of Integrity Check Value
Assigner
References
Impacted products
Vendor Product Version
striae-org striae Affected: >= 0.9.22-0, < 3.0.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-31839",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-11T17:06:57.326835Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T17:07:35.742Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "striae",
          "vendor": "striae-org",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.9.22-0, \u003c 3.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Striae is a firearms examiner\u0027s comparison companion. A high-severity integrity bypass vulnerability existed in Striae\u0027s digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered confirmation packages to pass integrity checks. This vulnerability is fixed in 3.0.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-354",
              "description": "CWE-354: Improper Validation of Integrity Check Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-11T16:46:22.132Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/striae-org/striae/security/advisories/GHSA-mmf8-487q-p45m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/striae-org/striae/security/advisories/GHSA-mmf8-487q-p45m"
        },
        {
          "name": "https://github.com/striae-org/striae/releases/tag/v3.0.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/striae-org/striae/releases/tag/v3.0.0"
        }
      ],
      "source": {
        "advisory": "GHSA-mmf8-487q-p45m",
        "discovery": "UNKNOWN"
      },
      "title": "Striae has a hash validation utility vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-31839",
    "datePublished": "2026-03-11T16:46:22.132Z",
    "dateReserved": "2026-03-09T17:41:56.078Z",
    "dateUpdated": "2026-03-11T17:07:35.742Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-31839",
      "date": "2026-06-03",
      "epss": "0.00018",
      "percentile": "0.04975"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31839\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-11T17:16:58.270\",\"lastModified\":\"2026-03-20T16:56:55.217\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Striae is a firearms examiner\u0027s comparison companion. A high-severity integrity bypass vulnerability existed in Striae\u0027s digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered confirmation packages to pass integrity checks. This vulnerability is fixed in 3.0.0.\"},{\"lang\":\"es\",\"value\":\"Striae es un compa\u00f1ero de comparaci\u00f3n para examinadores de armas de fuego. Exist\u00eda una vulnerabilidad de omisi\u00f3n de integridad de alta gravedad en el flujo de trabajo de confirmaci\u00f3n digital de Striae antes de la v3.0.0. La validaci\u00f3n solo por hash confiaba en los campos de hash del manifiesto que pod\u00edan ser modificados junto con el contenido del paquete, permitiendo que los paquetes de confirmaci\u00f3n manipulados pasaran las comprobaciones de integridad. Esta vulnerabilidad est\u00e1 corregida en la 3.0.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":5.8},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-354\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:striae:striae:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"0.9.22\",\"versionEndIncluding\":\"3.0.0\",\"matchCriteriaId\":\"3DECC8C8-51C3-472E-B292-6800B86701C3\"}]}]}],\"references\":[{\"url\":\"https://github.com/striae-org/striae/releases/tag/v3.0.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/striae-org/striae/security/advisories/GHSA-mmf8-487q-p45m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-31839\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-11T17:06:57.326835Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-11T17:07:24.095Z\"}}], \"cna\": {\"title\": \"Striae has a hash validation utility vulnerability\", \"source\": {\"advisory\": \"GHSA-mmf8-487q-p45m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"striae-org\", \"product\": \"striae\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.9.22-0, \u003c 3.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/striae-org/striae/security/advisories/GHSA-mmf8-487q-p45m\", \"name\": \"https://github.com/striae-org/striae/security/advisories/GHSA-mmf8-487q-p45m\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/striae-org/striae/releases/tag/v3.0.0\", \"name\": \"https://github.com/striae-org/striae/releases/tag/v3.0.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Striae is a firearms examiner\u0027s comparison companion. A high-severity integrity bypass vulnerability existed in Striae\u0027s digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered confirmation packages to pass integrity checks. This vulnerability is fixed in 3.0.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-354\", \"description\": \"CWE-354: Improper Validation of Integrity Check Value\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-11T16:46:22.132Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-31839\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-11T17:07:35.742Z\", \"dateReserved\": \"2026-03-09T17:41:56.078Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-11T16:46:22.132Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.