CVE-2016-10557 – appium-chromedriver

Package

Manager: npm
Name: appium-chromedriver
Vulnerable Version: >=0 <2.9.4

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00807 pctl0.7329

Details

appium-chromedriver downloads Resources over HTTP Affected versions of `appium-chromedriver` insecurely download resources over HTTP. In scenarios where an attacker has a privileged network position, they can modify or read items send over HTTP at will. In this case, that includes the chromedriver binary, which may result in remote code execution if overwritten with a malicious binary. ## Recommendation Update to version 2.9.4 or later.

Metadata

Created: 2019-02-18T23:40:19Z
Modified: 2023-09-12T18:47:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-hc94-2wfr-4pwf/GHSA-hc94-2wfr-4pwf.json
CWE IDs: ["CWE-311"]
Alternative ID: GHSA-hc94-2wfr-4pwf
Finding: F020
Auto approve: 1