appium-chromedriver

Downloads Resources over HTTP

Severity: high

Overview

Affected versions of appium-chromedriver insecurely download resources over HTTP.

In scenarios where an attacker has a privileged network position, they can modify or read items send over HTTP at will. In this case, that includes the chromedriver binary, which may result in remote code execution if overwritten with a malicious binary.

Remediation

Update to version 2.9.4 or later.

Vulnerable versions

0.0.2
4 years ago
0.1.0
3 years ago
0.2.0
3 years ago
0.2.1
3 years ago
0.2.2
3 years ago
1.0.0
3 years ago
1.0.1
3 years ago
1.1.0
3 years ago
2.0.0
3 years ago
2.0.1
3 years ago
2.0.2
3 years ago
2.0.3
3 years ago
2.0.4
3 years ago
2.0.5
3 years ago
2.0.6
3 years ago
2.0.7
3 years ago
2.0.8
3 years ago
2.0.9
3 years ago
2.0.10
3 years ago
2.1.0
3 years ago
2.1.1
3 years ago
2.1.2
3 years ago
2.1.3
3 years ago
2.2.0
3 years ago
2.2.1
3 years ago
2.3.0
3 years ago
2.3.2
3 years ago
2.3.3
3 years ago
2.3.4
3 years ago
2.3.5
3 years ago
2.3.6
3 years ago
2.3.7
3 years ago
2.3.8
3 years ago
2.4.0
3 years ago
2.4.1
3 years ago
2.4.2
3 years ago
2.5.0
3 years ago
2.5.1
3 years ago
2.6.0
3 years ago
2.7.0
3 years ago
2.8.0
3 years ago
2.8.1
2 years ago
2.8.2
2 years ago
2.8.3
2 years ago
2.9.0
2 years ago
2.9.1
2 years ago
2.9.2
2 years ago
2.9.3
2 years ago

Unaffected versions

2.5.0-beta1
3 years ago
2.9.4
2 years ago
2.10.0
2 years ago
2.10.1
a year ago
2.11.0
a year ago
2.11.1
a year ago
2.11.2
a year ago
2.11.3
a year ago
2.12.0
a year ago
2.12.1
a year ago
2.12.2
a year ago
2.12.3
a year ago
2.12.4
a year ago
3.0.0
a year ago
3.0.1
a year ago
3.1.0
10 months ago
3.1.1
9 months ago
3.1.2
9 months ago
3.1.3
9 months ago
3.1.4
8 months ago
3.2.0
7 months ago
3.3.0
7 months ago
3.4.0
5 months ago
3.5.0
5 months ago
3.5.1
4 months ago
3.5.2
4 months ago
3.6.0
3 months ago
4.0.0
3 months ago
4.1.0
2 months ago
4.2.0
2 months ago
4.3.0
a month ago
4.4.0
20 days ago

Advisory timeline

  1. published

    Advisory published
    Dec 6th, 2016
  2. reported

    Nov 30th, 2016