GHSA-qjf4-7642-c57p

Suggest an improvement
Source
https://github.com/advisories/GHSA-qjf4-7642-c57p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-qjf4-7642-c57p/GHSA-qjf4-7642-c57p.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qjf4-7642-c57p
Aliases
Published
2019-02-18T23:51:52Z
Modified
2023-11-08T03:58:13.736007Z
Summary
Downloads Resources over HTTP in unicode
Details

Affected versions of unicode insecurely download resources over HTTP.

In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on the behavior of the package itself, it ranges from being able to read sensitive information all the way up to and including remote code execution.

Recommendation

Update to version 9.0.0 or later.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-311"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:52:12Z"
}
References

Affected packages

npm / unicode

Package

Name
unicode
View open source insights on deps.dev
Purl
pkg:npm/unicode

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.0