CVE-2016-10557

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2016-10557

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-10557.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2016-10557

Aliases

GHSA-hc94-2wfr-4pwf

Published

2018-05-31T20:29:02Z

Modified

2025-07-29T06:59:37.052679Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

appium-chromedriver is a Node.js wrapper around Chromedriver. Versions below 2.9.4 download binary resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

References

https://nodesecurity.io/advisories/162

Affected packages

Git / github.com/appium/appium-chromedriver

Affected ranges

Type: GIT
Repo: https://github.com/appium/appium-chromedriver
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4a8cf1726ee2cf8beff11024e70b0a3be3a26549

Affected versions

v0.*

v0.0.2

v0.1.0

v0.2.0

v0.2.1

v0.2.2

v1.*

v1.0.0

v1.0.1

v1.1.0

v2.*

v2.0.0

v2.0.1

v2.0.10

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.0.9

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.2.0

v2.2.1

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.5.1

v2.8.0

v2.9.0

v2.9.1

v2.9.2

v2.9.3