GHSA-h8mc-42c3-r72p

Suggest an improvement
Source
https://github.com/advisories/GHSA-h8mc-42c3-r72p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-h8mc-42c3-r72p/GHSA-h8mc-42c3-r72p.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-h8mc-42c3-r72p
Aliases
  • CVE-2017-16035
Published
2018-07-24T15:40:47Z
Modified
2023-11-08T03:59:00.802973Z
Summary
hubl-server downloads resources over HTTP
Details

Affected versions of hubl-server insecurely download dependencies over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the responses and replace the dependencies with malicious ones, resulting in code execution on the system running hubl-server.

Recommendation

No patch is currently available for this vulnerability, and it has not seen any updates since 2015.

The best mitigation is currently to avoid using this package, using a different package if available.

Alternatively, the risk of exploitation can be reduced by ensuring that this package is not installed while connected to a public network. If the package is installed on a private network, the only people who can exploit this vulnerability are those who have compromised yo

Database specific 
{
    "nvd_published_at": null,
    "severity": "HIGH",
    "github_reviewed_at": "2020-06-16T21:39:31Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-311"
    ]
}
References

Affected packages

npm / hubl-server

Package

Name
hubl-server
View open source insights on deps.dev
Purl
pkg:npm/hubl-server

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.1.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-h8mc-42c3-r72p/GHSA-h8mc-42c3-r72p.json"