CVE-2016-10581
steroids downloads resources over HTTP
描述
Affected versions of `steroids` insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running `steroids`. ## Recommendation This vulnerability was discovered and reported in 2016, yet has not seen a patch issued as of 03/2018. As of 08/2022, [the package is marked as deprecated](https://www.npmjs.com/package/steroids) and the GitHub repository is no longer publicly available. The best path forward for mitigating this issue is to attempt to use an alternative module that is actively maintained and which provides similar functionality, such as the native PhoneGap API.
如何修補 CVE-2016-10581
目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。
- —未列出修補版本
CVE-2016-10581 正在被利用嗎?
低 — EPSS 為 1.7%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, <= 4.1.27
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |