selenium-download

Downloads Resources over HTTP

Severity: high

Overview

Affected versions of selenium-download insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running selenium-download.

Remediation

Update to version 2.0.7 or later.

Vulnerable versions

1.0.0
4 years ago
1.0.1
4 years ago
1.0.2
4 years ago
1.0.3
4 years ago
1.1.0
4 years ago
1.2.0
4 years ago
1.2.1
4 years ago
1.2.2
4 years ago
2.0.0
4 years ago
2.0.1
2 years ago
2.0.2
2 years ago
2.0.3
2 years ago
2.0.4
2 years ago
2.0.5
2 years ago
2.0.6
2 years ago

Unaffected versions

2.0.7
2 years ago
2.0.8
2 years ago
2.0.9
2 years ago
2.0.10
a year ago
2.0.11
8 months ago
2.0.12
6 months ago
2.0.13
11 days ago

Advisory timeline

  1. published

    Advisory published
    Dec 6th, 2016
  2. reported

    Nov 30th, 2016