Lucene search

K
osvGoogleOSV:GHSA-2HPJ-G53M-9GJ6
HistoryFeb 18, 2019 - 11:58 p.m.

closure-util downloads Resources over HTTP

2019-02-1823:58:03
Google
osv.dev
4

0.002 Low

EPSS

Percentile

54.7%

Affected versions of closure-util insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running closure-util.

Recommendation

To mitigate this issue:

  1. Install the package using npm’s --ignore-scripts flag.
  2. Navigate to the package directory, and open default-config.json in a text editor
  3. Change the download URLs in the compiler_url and library_url to https equivalents
  4. run npm i in the package directory.
CPENameOperatorVersion
closure-utille2.0.0-beta.1

0.002 Low

EPSS

Percentile

54.7%

Related for OSV:GHSA-2HPJ-G53M-9GJ6