Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2015-8857

Good to know:

icon
icon

Date: January 23, 2017

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.

Language: JS

Severity Score

Related Resources (12)

https://github.com/lautis/uglifier/commit/4677bfe38142937ff952f95605bcec4618892c3e
https://github.com/mishoo/UglifyJS2
https://web.archive.org/web/20200227190830/http://www.securityfocus.com/bid/96410
https://nodesecurity.io/advisories/39
https://nvd.nist.gov/vuln/detail/CVE-2015-8857
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uglifier/CVE-2015-8857.yml
https://zyan.scripts.mit.edu/blog/backdooring-js
https://github.com/mishoo/UglifyJS2/issues/751
http://www.securityfocus.com/bid/96410
https://github.com/advisories/GHSA-g6f4-j6c2-w3p3
http://www.openwall.com/lists/oss-security/2016/04/20/11
https://www.mend.io/vulnerability-database/CVE-2015-8857

Severity Score

Weakness Type (CWE)

Security Features

CWE-254

Incorrect Comparison Logic Granularity

CWE-1254

Always-Incorrect Control Flow Implementation

CWE-670

Top Fix

icon

Upgrade Version

Upgrade to version v2.4.24

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us