Описание
Machine-In-The-Middle in lix
All versions of lix are vulnerable to Machine-In-The-Middle. The package accepts downloads with http and follows location header redirects for package downloads. This allows for an attacker in a privileged network position to intercept a lix package installation and redirect the download to a malicious source.
Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
Пакеты
Наименование
lix
npm
Затронутые версииВерсия исправления
<= 15.11.4
Отсутствует
Связанные уязвимости
CVSS3: 8.1
nvd
почти 6 лет назад
lix through 15.8.7 allows man-in-the-middle attackers to execute arbitrary code by modifying the HTTP client-server data stream so that the Location header is associated with attacker-controlled executable content in the postDownload field.