Downloads Resources over HTTP in healthcenter

2019-02-18T23:42:06
ID GHSA-J336-34Q7-CGJ3
Type github
Reporter GitHub Advisory Database
Modified 2021-01-08T18:38:25

Description

Affected versions of healthcenter insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running healthcenter.

Recommendation

This package has been deprecated, and moved to a new package on npm: appmetrics.

In order to mitigate this vulnerability, please install the appmetrics package in place of healthcenter via the following commands: npm uninstall healthcenter -s npm install appmetrics -s