Description
Affected versions of appium-chromedriver insecurely download resources over HTTP.
In scenarios where an attacker has a privileged network position, they can modify or read items send over HTTP at will. In this case, that includes the chromedriver binary, which may result in remote code execution if overwritten with a malicious binary.
Recommendation
Update the appium-chromedriver package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.9.4
- Patched version(s): 2.9.4
References
Related Issues
- Command Injection in lodash (GHSA-35jh-r3h4-6jhm) - CVE-2021-23337
- Bootstrap Cross-Site Scripting (XSS) vulnerability - CVE-2024-6531
- Regular Expression Denial of Service in jsoneditor - CVE-2021-3822
- @intlify/shared Prototype Pollution vulnerability - CVE-2024-52810
- Tags:
- npm
- appium-chromedriver
Anything's wrong? Let us know Last updated on September 12, 2023