CVE-2016-10536
Insecure Defaults Allow MITM Over TLS in engine.io-client
5.9
MEDIUM
CVSS 3.1
EPSS 0.22%
描述
Affected versions of `engine.io-client` do not verify certificates by default, and as such may be vulnerable to Man-in-the-Middle attacks. The vulnerability is related to the way that node.js handles the `rejectUnauthorized` setting. If the value is something that evaluates to false, such as undefined or null, certificate verification will be disabled. ## Recommendation Update to version 1.6.9 or later. If you are unable to upgrade, ensure all calls to socket.io to have a `rejectedUnauthorized: true` flag.
如何修補 CVE-2016-10536
要修補 CVE-2016-10536,請將受影響套件升級到下列已修補版本。
- —升級至 1.6.9 或更新版本
CVE-2016-10536 正在被利用嗎?
低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 1.6.9
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |