{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31839", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T17:41:56.078Z", "datePublished": "2026-03-11T16:46:22.132Z", "dateUpdated": "2026-03-11T17:07:35.742Z"}, "containers": {"cna": {"title": "Striae has a hash validation utility vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-354", "lang": "en", "description": "CWE-354: Improper Validation of Integrity Check Value", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/striae-org/striae/security/advisories/GHSA-mmf8-487q-p45m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/striae-org/striae/security/advisories/GHSA-mmf8-487q-p45m"}, {"name": "https://github.com/striae-org/striae/releases/tag/v3.0.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/striae-org/striae/releases/tag/v3.0.0"}], "affected": [{"vendor": "striae-org", "product": "striae", "versions": [{"version": ">= 0.9.22-0, < 3.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T16:46:22.132Z"}, "descriptions": [{"lang": "en", "value": "Striae is a firearms examiner's comparison companion. A high-severity integrity bypass vulnerability existed in Striae's digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered confirmation packages to pass integrity checks. This vulnerability is fixed in 3.0.0."}], "source": {"advisory": "GHSA-mmf8-487q-p45m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T17:06:57.326835Z", "id": "CVE-2026-31839", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T17:07:35.742Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31839", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T17:06:57.326835Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T17:07:24.095Z"}}], "cna": {"title": "Striae has a hash validation utility vulnerability", "source": {"advisory": "GHSA-mmf8-487q-p45m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "striae-org", "product": "striae", "versions": [{"status": "affected", "version": ">= 0.9.22-0, < 3.0.0"}]}], "references": [{"url": "https://github.com/striae-org/striae/security/advisories/GHSA-mmf8-487q-p45m", "name": "https://github.com/striae-org/striae/security/advisories/GHSA-mmf8-487q-p45m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/striae-org/striae/releases/tag/v3.0.0", "name": "https://github.com/striae-org/striae/releases/tag/v3.0.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Striae is a firearms examiner's comparison companion. A high-severity integrity bypass vulnerability existed in Striae's digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered confirmation packages to pass integrity checks. This vulnerability is fixed in 3.0.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-354", "description": "CWE-354: Improper Validation of Integrity Check Value"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T16:46:22.132Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31839", "state": "PUBLISHED", "dateUpdated": "2026-03-11T17:07:35.742Z", "dateReserved": "2026-03-09T17:41:56.078Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T16:46:22.132Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:striae:striae:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "3DECC8C8-51C3-472E-B292-6800B86701C3", "versionEndIncluding": "3.0.0", "versionStartIncluding": "0.9.22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Striae is a firearms examiner's comparison companion. A high-severity integrity bypass vulnerability existed in Striae's digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered confirmation packages to pass integrity checks. This vulnerability is fixed in 3.0.0."}, {"lang": "es", "value": "Striae es un compa\u00f1ero de comparaci\u00f3n para examinadores de armas de fuego. Exist\u00eda una vulnerabilidad de omisi\u00f3n de integridad de alta gravedad en el flujo de trabajo de confirmaci\u00f3n digital de Striae antes de la v3.0.0. La validaci\u00f3n solo por hash confiaba en los campos de hash del manifiesto que pod\u00edan ser modificados junto con el contenido del paquete, permitiendo que los paquetes de confirmaci\u00f3n manipulados pasaran las comprobaciones de integridad. Esta vulnerabilidad est\u00e1 corregida en la 3.0.0."}], "id": "CVE-2026-31839", "lastModified": "2026-03-20T16:56:55.217", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-11T17:16:58.270", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/striae-org/striae/releases/tag/v3.0.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/striae-org/striae/security/advisories/GHSA-mmf8-487q-p45m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-354"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.9.22-0,3.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "striae", "source": "cna", "vendor": "striae-org"}, "product": "striae", "vendor": "striae-org"}], "analysis": {"en": {"generated_at": "2026-03-20T18:24:15.719851+00:00", "value": {"mitigation_remediation": ["Update Striae to version 3.0.0 or later."], "summary": {"action": "Patch", "impact": "Integrity Bypass"}, "threat_synthesis": {"affected_systems": "Striae, a digital comparison companion for firearms examiners, is affected in all releases prior to version 3.0.0. Users running those earlier builds face the disclosed integrity bypass risk; the issue is resolved in the 3.0.0 release.", "description_and_impact": "A flaw in Striae\u2019s hash\u2011validation routine allows an attacker to modify both the manifest hash and the associated package contents, causing tampered confirmation packages to be accepted as authentic. This improper validation of cryptographic parameters (CWE\u2011354) can lead to forensic data being altered without detection, undermining the credibility of forensic analysis performed with the tool.", "risk_and_exploitability": "The vulnerability carries a CVSS base score of 8.2, indicating high severity, while the EPSS score of less than 1% suggests a low probability of active exploitation. It is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves delivering a crafted confirmation package to a user of Striae; if the package is accepted, the integrity check will fail to detect tampering. The exploit requires that the attacker can introduce the malicious package into the user\u2019s workflow."}}}}, "created": "2026-03-12T09:57:45.258259+00:00", "updated": "2026-03-23T09:55:22.966009+00:00", "vendors": ["striae-org", "striae-org$PRODUCT$striae"]}