CVE-2017-16035

Name of the Vulnerable Software and Affected Versions: hubl-server versions (affected versions not specified)

Description: The issue concerns the insecure download of dependencies by the hubl-server module. Although the download process starts over HTTPS from api.hubapi.com, it redirects to an HTTP URL, making it vulnerable to man-in-the-middle attacks. An attacker with network privileges could intercept and replace the dependencies with malicious ones, potentially leading to code execution on the system running hubl-server.

Recommendations: For all affected versions of hubl-server, consider avoiding the use of this package and opt for a different package if available. As a mitigation measure, reduce the risk of exploitation by avoiding installation of this package while connected to a public network. At the moment, there is no information about a newer version that contains a fix for this vulnerability.