CVE-2017-16035

描述

Affected versions of `hubl-server` insecurely download dependencies over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the responses and replace the dependencies with malicious ones, resulting in code execution on the system running `hubl-server`. ## Recommendation No patch is currently available for this vulnerability, and it has not seen any updates since 2015. The best mitigation is currently to avoid using this package, using a different package if available. Alternatively, the risk of exploitation can be reduced by ensuring that this package is not installed while connected to a public network. If the package is installed on a private network, the only people who can exploit this vulnerability are those who have compromised yo

如何修補 CVE-2017-16035

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

• —未列出修補版本

CVE-2017-16035 正在被利用嗎?

低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, <= 1.1.5

參考連結(3)

• ADVISORYgithub.com/advisories/GHSA-h8mc-42c3-r72p
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-16035
• WEBwww.npmjs.com/advisories/334