libxl

Downloads Resources over HTTP

Severity: high

Overview

Affected versions of libxl insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running libxl.

Remediation

The module author recommends installing the bindings using a pinned and verified version of SDK instead of the automated download. More information is available in the modules README.

Vulnerable versions

0.0.1
5 years ago
0.0.2
5 years ago
0.0.3
5 years ago
0.0.4
5 years ago
0.0.5
5 years ago
0.0.6
5 years ago
0.0.7
5 years ago
0.0.8
5 years ago
0.0.9
5 years ago
0.0.10
4 years ago
0.0.11
4 years ago
0.0.12
4 years ago
0.1.0
4 years ago
0.1.1
4 years ago
0.1.2
4 years ago
0.2.0
4 years ago
0.2.1
4 years ago
0.2.2
4 years ago
0.1.3
4 years ago
0.2.3
4 years ago
0.2.4
4 years ago
0.2.5
4 years ago
0.2.6
4 years ago
0.2.7
4 years ago
0.2.8
4 years ago
0.2.9
4 years ago
0.2.10
4 years ago
0.2.11
3 years ago
0.2.12
3 years ago
0.2.13
3 years ago
0.2.14
3 years ago
0.2.15
3 years ago
0.2.16
3 years ago
0.2.17
3 years ago
0.2.18
2 years ago
0.2.19
2 years ago
0.2.20
2 years ago
0.3.0
4 months ago

Unaffected versions

Advisory timeline

  1. Published

    Advisory published
    Dec 18th, 2016
  2. Reported

    Initial report by Adam Baldwin
    Nov 30th, 2016