CVE-2016-10589

Description

Versions of `selenium-binaries` prior to 0.15.0 insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running `selenium-binaries`. ## Recommendation A fix for this vulnerability is available on the `master` branch of the repository as part of version 0.15.0. Another mitigation currently available is to use an alternate package, such as [selenium-webdriver](https://www.npmjs.com/package/selenium-webdriver), the official selenium bindings for node.js.

How to fix CVE-2016-10589

To remediate CVE-2016-10589, upgrade the affected package to a fixed version below.

• —upgrade to 0.15.0 or later

Is CVE-2016-10589 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.15.0

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10589
• PATCHgithub.com/spunjs/selenium-binaries
• WEBgithub.com/spunjs/selenium-binaries/commit/be37e82a3c43a4f1679d66cf9467085ec9994c47
• WEBgithub.com/spunjs/selenium-binaries/pull/33