CVE-2016-10585

描述

Affected versions of `libxl` insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running `libxl`. ## Recommendation The module author recommends installing the bindings using a pinned and verified version of SDK instead of the automated download. More information is available in the modules [README](https://www.npmjs.com/package/libxl).

如何修補 CVE-2016-10585

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

• —未列出修補版本

CVE-2016-10585 正在被利用嗎?

低 — EPSS 為 0.7%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, <= 0.4.5

參考連結(4)

• ADVISORYgithub.com/advisories/GHSA-7vrq-vg6p-32fw
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10585
• PATCHgithub.com/DirtyHairy/node-libxl
• WEBwww.npmjs.com/advisories/178