GSD-2015-8857

Vulnerability from gsd - Updated: 2015-07-21 00:00
Details
The upstream library for the Ruby uglifier gem, UglifyJS, is affected by a vulnerability that allows a specially crafted Javascript file to have altered functionality after minification. This bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated to allow potentially malicious code to be hidden within secure code, and activated by the minification process. For more information, consult: * https://zyan.scripts.mit.edu/blog/backdooring-js * CWE: 254 - 7PK - Security Features
Aliases
Aliases
CVE-2015-8857
To clipboard 

{
  "GSD": {
    "alias": "CVE-2015-8857",
    "description": "The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.",
    "id": "GSD-2015-8857",
    "references": [
      "https://www.suse.com/security/cve/CVE-2015-8857.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "uglifier",
            "purl": "pkg:gem/uglifier"
          }
        }
      ],
      "aliases": [
        "CVE-2015-8857",
        "OSVDB-126747",
        "GHSA-34r7-q49f-h37c"
      ],
      "details": "\nThe upstream library for the Ruby uglifier gem, UglifyJS, is\naffected by a vulnerability that allows a specially crafted\nJavascript file to have altered functionality after minification.\n\nThis bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated\nto allow potentially malicious code to be hidden within secure code,\nand activated by the minification process.\n\nFor more information, consult:\n* https://zyan.scripts.mit.edu/blog/backdooring-js\n\n* CWE: 254 - 7PK - Security Features\n",
      "id": "GSD-2015-8857",
      "modified": "2015-07-21T00:00:00.000Z",
      "published": "2015-07-21T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/mishoo/UglifyJS2/issues/751"
        },
        {
          "type": "WEB",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8857"
        },
        {
          "type": "WEB",
          "url": "https://github.com/mishoo/UglifyJS/issues/751"
        },
        {
          "type": "WEB",
          "url": "https://blog.azuki.vip/backdooring-js"
        },
        {
          "type": "WEB",
          "url": "https://www.openwall.com/lists/oss-security/2016/04/20/11"
        },
        {
          "type": "WEB",
          "url": "https://github.com/advisories/GHSA-34r7-q49f-h37c"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 7.5,
          "type": "CVSS_V2"
        },
        {
          "score": 9.8,
          "type": "CVSS_V3"
        }
      ],
      "summary": "uglifier incorrectly handles non-boolean comparisons during minification"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2015-8857",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "96410",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/96410"
          },
          {
            "name": "https://nodesecurity.io/advisories/39",
            "refsource": "CONFIRM",
            "url": "https://nodesecurity.io/advisories/39"
          },
          {
            "name": "[oss-security] 20160420 various vulnerabilities in Node.js packages",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2015-8857",
      "cvss_v2": 7.5,
      "cvss_v3": 9.8,
      "date": "2015-07-21",
      "description": "\nThe upstream library for the Ruby uglifier gem, UglifyJS, is\naffected by a vulnerability that allows a specially crafted\nJavascript file to have altered functionality after minification.\n\nThis bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated\nto allow potentially malicious code to be hidden within secure code,\nand activated by the minification process.\n\nFor more information, consult:\n* https://zyan.scripts.mit.edu/blog/backdooring-js\n\n* CWE: 254 - 7PK - Security Features\n",
      "gem": "uglifier",
      "ghsa": "34r7-q49f-h37c",
      "osvdb": 126747,
      "patched_versions": [
        "\u003e= 2.7.2"
      ],
      "related": {
        "url": [
          "https://nvd.nist.gov/vuln/detail/CVE-2015-8857",
          "https://github.com/mishoo/UglifyJS/issues/751",
          "https://blog.azuki.vip/backdooring-js",
          "https://www.openwall.com/lists/oss-security/2016/04/20/11",
          "https://github.com/advisories/GHSA-34r7-q49f-h37c"
        ]
      },
      "title": "uglifier incorrectly handles non-boolean comparisons during minification",
      "url": "https://github.com/mishoo/UglifyJS2/issues/751"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.7.2",
          "affected_versions": "All versions before 2.7.2",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-254",
            "CWE-937"
          ],
          "date": "2023-03-27",
          "description": "The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.",
          "fixed_versions": [
            "2.7.2"
          ],
          "identifier": "CVE-2015-8857",
          "identifiers": [
            "GHSA-34r7-q49f-h37c",
            "CVE-2015-8857"
          ],
          "not_impacted": "All versions starting from 2.7.2",
          "package_slug": "gem/uglifier",
          "pubdate": "2017-10-24",
          "solution": "Upgrade to version 2.7.2 or above.",
          "title": "Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2015-8857",
            "https://github.com/mishoo/UglifyJS2/issues/751",
            "https://zyan.scripts.mit.edu/blog/backdooring-js/",
            "http://www.openwall.com/lists/oss-security/2016/04/20/11",
            "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uglifier/CVE-2015-8857.yml",
            "https://web.archive.org/web/20200227190830/http://www.securityfocus.com/bid/96410",
            "https://github.com/lautis/uglifier/commit/4677bfe38142937ff952f95605bcec4618892c3e",
            "https://github.com/advisories/GHSA-34r7-q49f-h37c"
          ],
          "uuid": "1194a94c-0a0b-4e24-86ed-47bfa4c1233d"
        },
        {
          "affected_range": "\u003c2.4.24",
          "affected_versions": "All versions before 2.4.24",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-254",
            "CWE-937"
          ],
          "date": "2021-10-29",
          "description": "The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.",
          "fixed_versions": [
            "2.4.24"
          ],
          "identifier": "CVE-2015-8857",
          "identifiers": [
            "GHSA-34r7-q49f-h37c",
            "CVE-2015-8857"
          ],
          "not_impacted": "All versions starting from 2.4.24",
          "package_slug": "npm/uglify-js",
          "pubdate": "2017-10-24",
          "solution": "Upgrade to version 2.4.24 or above.",
          "title": "Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2015-8857",
            "https://github.com/mishoo/UglifyJS2/issues/751",
            "https://github.com/advisories/GHSA-34r7-q49f-h37c",
            "https://www.npmjs.com/advisories/39",
            "https://zyan.scripts.mit.edu/blog/backdooring-js/",
            "https://nodesecurity.io/advisories/39",
            "http://www.openwall.com/lists/oss-security/2016/04/20/11",
            "http://www.securityfocus.com/bid/96410"
          ],
          "uuid": "61e418d9-8b84-425a-bb44-88fd81a505f3"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:uglifyjs_project:uglifyjs:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.4.24",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-8857"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-254"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://nodesecurity.io/advisories/39",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://nodesecurity.io/advisories/39"
            },
            {
              "name": "[oss-security] 20160420 various vulnerabilities in Node.js packages",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11"
            },
            {
              "name": "96410",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/96410"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-10-28T15:05Z",
      "publishedDate": "2017-01-23T21:59Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.