jdf-sass downloads Resources over HTTP

Severity:: High

Description

Affected versions of jdf-sass insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running jdf-sass.

Recommendation

No fix is available yet. Followings are affected versions:

<= 1.0.18

References

GHSA-8cc8-8vvx-fhgw
www.npmjs.com
CVE-2016-10595
CWE-311
CAPEC-310
OWASP 2021-A4
OWASP 2021-A6

Related Issues

Downloads Resources over HTTP in dalek-browser-chrome-canary - CVE-2016-10584
chromedriver Downloads Resources over HTTP - CVE-2016-10579
Downloads Resources over HTTP in strider-sauce - CVE-2016-10611
Downloads Resources over HTTP in product-monitor - CVE-2016-10567

Tags:: npm; jdf-sass

Anything's wrong? Let us know Last updated on September 13, 2023