Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdjNmMtNXY5dy14bWh3
Downloads Resources over HTTP in nodewebkit
Affected versions of nodewebkit insecurely download an executable over an unencrypted HTTP connection.
In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running nodewebkit.
Recommendation
No patch is currently available, and the package author has deprecated this package.
The best path forward in mitigating this vulnerability is to use the official installer instead of this package, as per the package author's instructions.
Permalink: https://github.com/advisories/GHSA-gc6c-5v9w-xmhwJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdjNmMtNXY5dy14bWh3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 6 years ago
Updated: almost 2 years ago
EPSS Percentage: 0.00175
EPSS Percentile: 0.5554
Identifiers: GHSA-gc6c-5v9w-xmhw, CVE-2016-10580
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-10580
- https://github.com/advisories/GHSA-gc6c-5v9w-xmhw
- https://www.npmjs.com/advisories/173
Affected Packages
npm:nodewebkit
Dependent packages: 34Dependent repositories: 209
Downloads: 213 last month
Affected Version Ranges: <= 0.11.6
No known fixed version
All affected versions: 0.7.3, 0.7.4, 0.7.5, 0.8.0, 0.8.1, 0.8.2, 0.8.4, 0.8.5, 0.8.6, 0.9.2, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6