CVE-2017-16035
hubl-server downloads resources over HTTP
Description
Affected versions of `hubl-server` insecurely download dependencies over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the responses and replace the dependencies with malicious ones, resulting in code execution on the system running `hubl-server`. ## Recommendation No patch is currently available for this vulnerability, and it has not seen any updates since 2015. The best mitigation is currently to avoid using this package, using a different package if available. Alternatively, the risk of exploitation can be reduced by ensuring that this package is not installed while connected to a public network. If the package is installed on a private network, the only people who can exploit this vulnerability are those who have compromised yo
How to fix CVE-2017-16035
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2017-16035 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, <= 1.1.5