npm

Severity: high

Downloads resources over HTTP

hubl-server

Overview

Affected versions of hubl-server insecurely download dependencies over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the responses and replace the dependencies with malicious ones, resulting in code execution on the system running hubl-server.

Remediation

No patch is currently available for this vulnerability, and it has not seen any updates since 2015.

The best mitigation is currently to avoid using this package, using a different package if available.

Alternatively, the risk of exploitation can be reduced by ensuring that this package is not installed while connected to a public network. If the package is installed on a private network, the only people who can exploit this vulnerability are those who have compromised yo

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Jun 5th, 2017
  2. reported

    Initial report by Adam Baldwin
    Mar 30th, 2017