iedriver

Downloads Resources over HTTP

Severity: high

Overview

Affected versions of iedriver insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running iedriver.

Remediation

Update to iedriver version 3.0.0 or greater.

Vulnerable versions

2.1.1
4 years ago
2.1.2
3 years ago
2.1.3
3 years ago
2.45.0
3 years ago
2.45.1
3 years ago
2.46.0
3 years ago
2.47.0
3 years ago
2.48.0
3 years ago
2.49.0
3 years ago
2.50.0
3 years ago
2.51.0
3 years ago
2.52.0
2 years ago
2.52.2
2 years ago
2.53.0
2 years ago
2.53.1
2 years ago

Unaffected versions

3.0.0
2 years ago
3.1.0
a year ago
3.2.0
a year ago
3.3.0
a year ago
3.3.1-rc.1
a year ago
3.4.0
a year ago
3.5.0
a year ago
3.5.1
a year ago
3.6.0
5 months ago
3.7.0
5 months ago
3.8.0
5 months ago
3.9.0
5 months ago
3.9.1
5 months ago
3.9.2
5 months ago

Advisory timeline

  1. published

    Advisory published
    Dec 16th, 2016
  2. reported

    Nov 30th, 2016