CVE-2016-10633

Name of the Vulnerable Software and Affected Versions dwebp-bin versions (affected versions not specified)

Description The issue concerns the insecure download of binary resources over HTTP, making it susceptible to man-in-the-middle (MITM) attacks. This could potentially lead to remote code execution (RCE) if an attacker intercepts and replaces the requested binary with a malicious one. The vulnerability can be exploited when an attacker has a privileged network position, allowing them to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running dwebp-bin.

Recommendations To mitigate the issue, avoid using the dwebp-bin package if possible, and consider using a different package instead. Alternatively, reduce the risk of exploitation by avoiding installation of the package while connected to a public network, as the vulnerability can only be exploited by those with compromised network access or privileged ISP access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.