GHSA-gc6c-5v9w-xmhw

Source

https://github.com/advisories/GHSA-gc6c-5v9w-xmhw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-gc6c-5v9w-xmhw/GHSA-gc6c-5v9w-xmhw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gc6c-5v9w-xmhw

Aliases

CVE-2016-10580

Published

2019-02-18T23:51:27Z

Modified

2023-11-08T03:58:13.857368Z

Summary

Downloads Resources over HTTP in nodewebkit

Details

Affected versions of nodewebkit insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running nodewebkit.

Recommendation

No patch is currently available, and the package author has deprecated this package.

The best path forward in mitigating this vulnerability is to use the official installer instead of this package, as per the package author's instructions.

Database specific

{
    "cwe_ids": [
        "CWE-311"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:36:46Z",
    "nvd_published_at": null,
    "severity": "HIGH"
}

References

Affected packages

npm / nodewebkit

Package

Name: nodewebkit; View open source insights on deps.dev
Purl: pkg:npm/nodewebkit

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.11.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-gc6c-5v9w-xmhw/GHSA-gc6c-5v9w-xmhw.json"