CVE-2016-10585 — Downloads Resources over HTTP in libxl

Description

Affected versions of `libxl` insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running `libxl`. ## Recommendation The module author recommends installing the bindings using a pinned and verified version of SDK instead of the automated download. More information is available in the modules [README](https://www.npmjs.com/package/libxl).

How to fix CVE-2016-10585

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2016-10585 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.4.5

References (4)

ADVISORYgithub.com/advisories/GHSA-7vrq-vg6p-32fw
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10585
PATCHgithub.com/DirtyHairy/node-libxl
WEBwww.npmjs.com/advisories/178