CVE-2017-16035 – hubl-server

Package

Manager: npm
Name: hubl-server
Vulnerable Version: >=0 <=1.1.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00186 pctl0.40656

Details

hubl-server downloads resources over HTTP Affected versions of `hubl-server` insecurely download dependencies over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the responses and replace the dependencies with malicious ones, resulting in code execution on the system running `hubl-server`. ## Recommendation No patch is currently available for this vulnerability, and it has not seen any updates since 2015. The best mitigation is currently to avoid using this package, using a different package if available. Alternatively, the risk of exploitation can be reduced by ensuring that this package is not installed while connected to a public network. If the package is installed on a private network, the only people who can exploit this vulnerability are those who have compromised yo

Metadata

Created: 2018-07-24T15:40:47Z
Modified: 2023-09-06T20:06:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-h8mc-42c3-r72p/GHSA-h8mc-42c3-r72p.json
CWE IDs: ["CWE-311"]
Alternative ID: GHSA-h8mc-42c3-r72p
Finding: F020
Auto approve: 1