GHSA-34r7-q49f-h37c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-34r7-q49f-h37c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-34r7-q49f-h37c/GHSA-34r7-q49f-h37c.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-34r7-q49f-h37c
- Aliases
- Published
- 2017-10-24T18:33:36Z
- Modified
- 2024-02-16T08:16:42.823655Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js
- Details
-
Versions of
uglify-jsprior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.Recommendation
Upgrade UglifyJS to version >= 2.4.24.
- Database specific
{ "github_reviewed": true, "severity": "CRITICAL", "cwe_ids": [ "CWE-1254", "CWE-670" ], "nvd_published_at": "2017-01-23T21:59:00Z", "github_reviewed_at": "2020-06-16T20:54:00Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2015-8857
- https://github.com/mishoo/UglifyJS2/issues/751
- https://github.com/lautis/uglifier/commit/4677bfe38142937ff952f95605bcec4618892c3e
- https://github.com/mishoo/UglifyJS2
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uglifier/CVE-2015-8857.yml
- https://web.archive.org/web/20200227190830/http://www.securityfocus.com/bid/96410
- https://zyan.scripts.mit.edu/blog/backdooring-js
- http://www.openwall.com/lists/oss-security/2016/04/20/11
Affected packages
npm / uglify-js
Package
- Name
- uglify-js
- View open source insights on deps.dev
- Purl
- pkg:npm/uglify-js
RubyGems / uglifier
Package
- Name
- uglifier
- Purl
- pkg:gem/uglifier