CVE-2016-10580

描述

Affected versions of `nodewebkit` insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running `nodewebkit`. ## Recommendation No patch is currently available, and the package author has deprecated this package. The best path forward in mitigating this vulnerability is to use the [official installer](https://www.npmjs.com/nw) instead of this package, as per the package author's instructions.

如何修補 CVE-2016-10580

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

• —未列出修補版本

CVE-2016-10580 正在被利用嗎?

低 — EPSS 為 0.5%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, <= 0.11.6

參考連結(3)

• ADVISORYgithub.com/advisories/GHSA-gc6c-5v9w-xmhw
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10580
• WEBwww.npmjs.com/advisories/173