Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2017-16035

UNKNOWN
Published 2018-06-04T19:00:00Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2017-16035. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to a HTTP url. Because of this behavior an attacker with the ability to man-in-the-middle a developer or system performing a package installation could compromise the integrity of the installation.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

HackerOne

hubl-server node module

Affected Versions:

All versions

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

hubl-server downloads resources over HTTP

GHSA-h8mc-42c3-r72p

Advisory Details

Affected versions of `hubl-server` insecurely download dependencies over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the responses and replace the dependencies with malicious ones, resulting in code execution on the system running `hubl-server`. ## Recommendation No patch is currently available for this vulnerability, and it has not seen any updates since 2015. The best mitigation is currently to avoid using this package, using a different package if available. Alternatively, the risk of exploitation can be reduced by ensuring that this package is not installed while connected to a public network. If the package is installed on a private network, the only people who can exploit this vulnerability are those who have compromised yo

Affected Packages

npm hubl-server
ECOSYSTEM: ≥0 ≤1.1.5

CVSS Scoring

CVSS Score

7.5

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-16035
ADVISORY https://github.com/advisories/GHSA-h8mc-42c3-r72p
WEB https://www.npmjs.com/advisories/334

Advisory provided by GitHub Security Advisory Database. Published: July 24, 2018, Modified: September 6, 2023

References

https://nodesecurity.io/advisories/334
Published: 2018-06-04T19:00:00Z
Last Modified: 2024-09-17T01:26:31.843Z
Copied to clipboard!