GHSA-mm7h-323r-9p4g

Опубликовано: 18 фев. 2019

Источник: github

Github: Прошло ревью

Описание

Downloads Resources over HTTP in imageoptim

imageoptim is a Node.js wrapper for some images compression algorithms.

imageoptim downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested tarball with an attacker controlled tarball if the attacker is on the network or positioned in between the user and the remote server.

Recommendation

No fix is currently available for this vulnerability.

It is our recommendation to not install or use this module at this time.

Ссылки

Пакеты

Наименование

imageoptim

npm

Затронутые версииВерсия исправления

<= 0.5.0

Отсутствует

EPSS

Процентиль: 73%

0.00765

Низкий

CVE ID

CVE-2016-10596

Дефекты

CWE-311

Связанные уязвимости

CVE-2016-10596

CVSS3: 8.1

nvd

больше 7 лет назад

imageoptim is a Node.js wrapper for some images compression algorithms. imageoptim downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested tarball with an attacker controlled tarball if the attacker is on the network or positioned in between the user and the remote server.

EPSS

Процентиль: 73%

0.00765

Низкий

CVE ID

CVE-2016-10596

Дефекты

CWE-311