Cryptographic Issues Affecting ibapi package, versions [,2.4.2]


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
1.31% (86th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cryptographic Issues vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-UNMANAGED-IBAPI-2382684
  • published26 Jan 2022
  • disclosed29 May 2018
  • creditUnknown

Introduced: 29 May 2018

CVE-2016-10593  (opens in a new tab)
CWE-310  (opens in a new tab)

How to fix?

There is no fixed version for ibapi.

Overview

Affected versions of this package are vulnerable to Cryptographic Issues ibapi is an Interactive Brokers API addon for NodeJS. ibapi downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. Before 2.5.6, it may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

References

CVSS Scores

version 3.1