CVE-2016-10661

描述

Affected versions of `phantomjs-cheniu` insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running `phantomjs-cheniu`. ## Recommendation No patch is currently available for this vulnerability. As this package is just a fork of Medium's [`phantomjs-prebuilt`](https://github.com/Medium/phantomjs) package, the best mitigation is currently to install the `Medium` version of [`phantomjs-prebuilt`](https://github.com/Medium/phantomjs). This can be done via the following command: ``` npm i phantomjs-prebuilt ```

如何修補 CVE-2016-10661

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

• —未列出修補版本

CVE-2016-10661 正在被利用嗎?

低 — EPSS 為 0.5%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, <= 2.0.1

參考連結(3)

• ADVISORYgithub.com/advisories/GHSA-w364-8vfv-gvf5
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10661
• WEBwww.npmjs.com/advisories/262