CVE-2020-10800

Name of the Vulnerable Software and Affected Versions lix versions 15.8.7 and earlier

Description The issue allows man-in-the-middle attackers to execute arbitrary code by modifying the HTTP client-server data stream. This is done by associating the Location header with attacker-controlled executable content in the postDownload field. The package accepts downloads with http and follows location header redirects for package downloads, allowing an attacker in a privileged network position to intercept a lix package installation and redirect the download to a malicious source.

Recommendations For versions 15.8.7 and earlier, consider using an alternative package until a fix is made available. As a temporary workaround, consider restricting the use of the http protocol for package downloads to minimize the risk of exploitation. Avoid using the location header redirects for package downloads until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.