Lucene search
Mark LeeNODEJS:104HistoryApr 21, 2016 - 6:27 p.m.
SSL Validation Defaults to False
2016-04-2118:27:18
Mark Lee
www.npmjs.com
16
0.001 Low
EPSS
Percentile
27.1%
Overview
Affected versions of electron-packager configure the generated application to disable SSL certificate verification by default.
This could allow an attacker with a privileged network position to launch a Man In The Middle (MITM) attack on the install process, intercepting the step where electron-packager downloads Electron for supported target platforms and architectures, and replacing the valid download with a tampered malicious one.
This only affects users using the electron-packager CLI. The strict-ssl option defaults to true for the node.js API.
Recommendation
- Update to version 7.0.0 or later.
- Delete the
electron-downloadcache folder, which is by default located at~/.electron.
References
| CPE | Name | Operator | Version |
|---|---|---|---|
| electron-packager | ge | 5.2.1 <= 6.0.0 || >=6.0.0 <= 6.0.2 |
Related
prion
prion
Command injection
2018-05-31 20:29:00
nvd
nvd
CVE-2016-10534
2018-05-31 20:29:01
veracode
veracode
Man-in-the-Middle (MitM)
2016-04-23 01:22:54
osv
osv
CVE-2016-10534
2018-05-31 20:29:01
SSL Validation Defaults to False in electron-packager
2019-02-18 23:58:24
cvelist
cvelist
CVE-2016-10534
2018-04-26 00:00:00
cve
cve
CVE-2016-10534
2018-05-31 20:29:01
github
github
SSL Validation Defaults to False in electron-packager
2019-02-18 23:58:24