CVE-2017-16040

EPSS 0.74%
Veröffentlicht 04.06.2018 19:29:02
Zuletzt bearbeitet 21.11.2024 03:15:42
Quelle support@hackerone.com
CVE-Watchlists
Login
Unerledigt
Login

gfe-sass is a library for promises (CommonJS/Promises/A,B,D) gfe-sass downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gfe-sass Project ≫ Gfe-sass SwPlatformnode.js Version <= 1.0.19

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.74%	0.722

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	9.3	8.6	10	AV:N/AC:M/Au:N/C:C/I:C/A:C

CWE-311 Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

https://nodesecurity.io/advisories/291

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2017-16040

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-16040

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-16040

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2017-16040