Resources Downloaded over Insecure Protocol Affecting ipip package, versions *
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID npm:ipip:20161130
- published 25 Dec 2016
- disclosed 30 Nov 2016
- credit Adam Baldwin
Introduced: 30 Nov 2016
CVE-2016-10594 Open this link in a new tabHow to fix?
There is no fix version for ipip
. This package is unmaintained and the author recommends using the official package.
Overview
ipip
queries geolocation information based on IP.
Affected versions of the package are vulnerable to Man in the Middle (MitM) attacks due to downloading resources over an insecure protocol. The vulnerability is in the /install.js
file, where it downloads a zip file over http. Without a secure connection, it is possible for an attacker to intercept this connection and alter the packages received. In serious cases, this may even lead to Remote Code Execution (RCE) on your host server.