Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdxN3EtN3ZmaC0yeDNo

High EPSS: 0.00774% (0.72521 Percentile) EPSS:
Permalink JSON

install-nw downloads Resources over HTTP

Affected Packages Affected Versions Fixed Versions
npm:install-nw
PURL: pkg:npm/install-nw
< 1.1.5 1.1.5
3 Dependent packages
9 Dependent repositories
34 Downloads last month

Affected Version Ranges

All affected versions

1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, 1.1.1, 1.1.2, 1.1.3, 1.1.4

All unaffected versions

1.1.5

Affected versions of install-nw insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running install-nw.

Recommendation

Update to version 1.1.5 or later.

References:

Identifiers

GHSA-wq7q-7vfh-2x3h

CVE-2016-10566

Risk

Severity

High

EPSS

EPSS Percentage: 0.00774

EPSS Percentile: 0.72521

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

over 6 years ago

Updated

about 2 years ago

API

JSON