PT-2018-4843 · Samatt · Herbivore

Published

2018-06-04

Updated

2019-10-09

CVE-2016-10665

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions herbivore versions 0.0.3 and below

Description The issue concerns a packet sniffing and crafting library that insecurely downloads binary resources over HTTP, making it susceptible to man-in-the-middle (MITM) attacks. This could potentially lead to remote code execution (RCE) if an attacker intercepts the download and replaces the resources with malicious ones. The vulnerability can be exploited if the attacker has a privileged network position, allowing them to intercept and modify the response.

Recommendations For versions 0.0.3 and below, update the package by installing it from github using the command: npm i samatt/herbivore

Fix

Missing Encryption of Sensitive Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-310CWE-311

Related Identifiers

CVE-2016-10665

GHSA-7R2X-3QCM-8VFW

Affected Products

Herbivore

PT-2018-4843 · Samatt · Herbivore

CVE-2016-10665

Weakness Enumeration

Related Identifiers

Affected Products

References · 8