cipher-base is missing type checks, leading to hash rewind and passing on crafted data
This affects e.g. `create-hash` (and `crypto-browserify`), so I'll describe the issue against that package
Also affects `create-hmac` and other packages
Node.js `createHash` works only on strings or instances of Buffer, TypedArray, or DataView.
Missing input type checks (in npm `create-hash` polyfill of Node.js `createHash`) can allow types other than a well-formed `Buffer` or `string`, resulting in invalid values, hanging and rewinding the hash state (including turning a tagged hash into an untagged hash), or other generally undefined behaviour.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
1
cwe_id
937
name
OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id
1035
name
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.