GHSA-5g4r-87v2-jqvx

Source

https://github.com/advisories/GHSA-5g4r-87v2-jqvx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-5g4r-87v2-jqvx/GHSA-5g4r-87v2-jqvx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5g4r-87v2-jqvx

Aliases

CVE-2016-10564

Published

2020-09-01T16:05:44Z

Modified

2023-11-08T03:58:12.876987Z

Summary

Downloads Resources over HTTP in apk-parser

Details

apk-parser is a tool to extract Android Manifest info from an APK file.

apk-parser versions below 0.1.6 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Recommendation

Update to version 0.1.6 or later.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:14:17Z",
    "cwe_ids": [
        "CWE-311"
    ],
    "severity": "HIGH",
    "nvd_published_at": null
}

References

Affected packages

npm / apk-parser

Package

Name: apk-parser; View open source insights on deps.dev
Purl: pkg:npm/apk-parser

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.1.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-5g4r-87v2-jqvx/GHSA-5g4r-87v2-jqvx.json"