CVE-2016-10534

描述

Affected versions of `electron-packager` configure the generated application to disable SSL certificate verification by default. This could allow an attacker with a privileged network position to launch a Man In The Middle (MITM) attack on the install process, intercepting the step where electron-packager downloads Electron for supported target platforms and architectures, and replacing the valid download with a tampered malicious one. This only affects users using the electron-packager CLI. The strict-ssl option defaults to true for the node.js API. ## Recommendation 1. Update to version 7.0.0 or later. 2. Delete the `electron-download` cache folder, which is by default located at `~/.electron`.

如何修補 CVE-2016-10534

要修補 CVE-2016-10534,請將受影響套件升級到下列已修補版本。

• —升級至 7.0.0 或更新版本

CVE-2016-10534 正在被利用嗎?

低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• >= 5.2.1, < 7.0.0

參考連結(4)

• ADVISORYgithub.com/advisories/GHSA-q43m-ffwr-rpcc
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10534
• WEBgithub.com/electron-userland/electron-packager/issues/333
• WEBwww.npmjs.com/advisories/104