CVE-2015-9238

描述

Versions of `secure-compare` prior to 3.0.1 are affected by a vulnerability that results in the package always returning true when comparing two strings of the same length, despite differences in the contents of those strings. ## Recommendation Upgrade to version 3.0.1 or later.

如何修補 CVE-2015-9238

要修補 CVE-2015-9238,請將受影響套件升級到下列已修補版本。

• npm/secure-compare—升級至 3.0.1 或更新版本

CVE-2015-9238 正在被利用嗎?

低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 3.0.1

參考連結(4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-9238
• WEBgithub.com/vadimdemedes/secure-compare/commit/dd1ff1ac0122de7e0af4f00c61ed73261062394a
• WEBgithub.com/vdemedes/secure-compare/pull/1
• WEBwww.npmjs.com/advisories/50