GHSA-hw4r-xr38-hm8j

Suggest an improvement
Source
https://github.com/advisories/GHSA-hw4r-xr38-hm8j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-hw4r-xr38-hm8j/GHSA-hw4r-xr38-hm8j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hw4r-xr38-hm8j
Aliases
  • CVE-2016-10610
Published
2019-02-18T23:47:59Z
Modified
2023-11-08T03:58:15.688967Z
Summary
Downloads Resources over HTTP in unicode-json
Details

Affected versions of unicode-json insecurely downloads resources over HTTP.

In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on the behavior of the package itself, it ranges from being able to read sensitive information all the way up to and including remote code execution.

Recommendation

Install version 2.0.0 or greater.

Database specific
{
    "github_reviewed_at": "2020-06-16T21:41:11Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-311"
    ],
    "severity": "HIGH"
}
References

Affected packages

npm / unicode-json

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-hw4r-xr38-hm8j/GHSA-hw4r-xr38-hm8j.json"