CVE-2017-16024

The sync-exec module is used to simulate childprocess.execSync in node versions 0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential informati...

CVE-2017-16007

CVE-2017-16007 affects the node-jose library prior to 0.9.3, where JWE with ECDH-ES can permit an invalid-curve attack and allow recovery of the private key. The vulnerability is described across NVD, OSV, GHSA, and IBM advisories, which also recommend upgrading to 0.9.3 or later as the remediati...

CVE-2017-16024

The CVE-2017-16024 entry concerns the sync-exec module, used to simulate Node.js child_process.execSync in Node versions

CVE-2016-10677

google-closure-tools-latest is a Node.js module wrapper for downloading the latest version of the Google Closure tools google-closure-tools-latest downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping ou...

CVE-2016-10677

google-closure-tools-latest is a Node.js module wrapper for downloading the latest version of the Google Closure tools google-closure-tools-latest downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping ou...

CVE-2016-10651

webdriver-launcher is a Node.js Selenium Webdriver Launcher. webdriver-launcher downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled binary if the...

CVE-2016-10664

mystem is a Node.js wrapper for MyStem morphology text analyzer by Yandex.ru mystem downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled binary if th...

Remote code execution

webdriver-launcher is a Node.js Selenium Webdriver Launcher. webdriver-launcher downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled binary if the...

Remote code execution

mystem is a Node.js wrapper for MyStem morphology text analyzer by Yandex.ru mystem downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled binary if th...

Information disclosure

google-closure-tools-latest is a Node.js module wrapper for downloading the latest version of the Google Closure tools google-closure-tools-latest downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping ou...

CVE-2016-10677

The CVE-2016-10677 issue affects the Node.js wrapper package google-closure-tools-latest, which downloads Google Closure tools over HTTP. The core risk is MITM interception of binary resources, allowing an attacker on the network to swap the requested executable with a malicious copy, potentially...

CVE-2016-10664

mystem is a Node.js wrapper for MyStem morphology text analyzer by Yandex.ru mystem downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled binary if th...

CVE-2016-10651

CVE-2016-10651 affects the Node.js Selenium Webdriver Launcher, webdriver-launcher, which downloads binary resources over HTTP. This enables MITM attacks where an attacker on the network can swap the binary, potentially leading to remote code execution on the user’s system. Public references cons...

CVE-2016-10664

The CVE-2016-10664 issue affects the mystem Node.js wrapper for Yandex MyStem, where binary resources are downloaded over HTTP. This enables a MITM attacker with network access to swap the requested binary for a malicious one, potentially causing remote code execution on the host. The affected be...

CVE-2016-10677

google-closure-tools-latest is a Node.js module wrapper for downloading the latest version of the Google Closure tools google-closure-tools-latest downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping ou...

CVE-2016-10623

macaca-chromedriver-zxa is a Node.js wrapper for the selenium chromedriver. macaca-chromedriver-zxa downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker...

CVE-2016-10633

dwebp-bin is a dwebp node.js wrapper that convert WebP into PNG. dwebp-bin downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled binary if the attacke...

CVE-2016-10613

bionode-sra is a Node.js wrapper for SRA Toolkit. bionode-sra downloads data resources over HTTP, which leaves it vulnerable to MITM attacks...

CVE-2016-10599

sauce-connect is a Node.js wrapper over the SauceLabs SauceConnect.jar program for establishing a secure tunnel for intranet testing. sauce-connect downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping o...

CVE-2016-10614

httpsync is a port of libcurl to node.js. httpsync downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or...