Описание
hubl-server downloads resources over HTTP
Affected versions of hubl-server insecurely download dependencies over an unencrypted HTTP connection.
In scenarios where an attacker has a privileged network position, it is possible to intercept the responses and replace the dependencies with malicious ones, resulting in code execution on the system running hubl-server.
Recommendation
No patch is currently available for this vulnerability, and it has not seen any updates since 2015.
The best mitigation is currently to avoid using this package, using a different package if available.
Alternatively, the risk of exploitation can be reduced by ensuring that this package is not installed while connected to a public network. If the package is installed on a private network, the only people who can exploit this vulnerability are those who have compromised yo
Пакеты
hubl-server
<= 1.1.5
Отсутствует
Связанные уязвимости
The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to a HTTP url. Because of this behavior an attacker with the ability to man-in-the-middle a developer or system performing a package installation could compromise the integrity of the installation.