CVE-2016-10651 — Missing Encryption of Sensitive Data in Webdriver-launcher Node Module

CWE-311 — Missing Encryption of Sensitive Data CWE-3103 documents3 sources

Severity

8.1HIGHNVD

EPSS

0.5%

top 33.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hackerone Webdriver-launcher Node Module

Timeline

PublishedJun 4

Latest updateFeb 18

Description

webdriver-launcher is a Node.js Selenium Webdriver Launcher. webdriver-launcher downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

▶npmhackerone/webdriver-launcher_node_module0.1.3

▶CVEListV5hackerone/webdriver-launcher_node_moduleAll versions

🔴Vulnerability Details

GHSA

Downloads Resources over HTTP in webdriver-launcher↗2019-02-18

▶

OSV

Downloads Resources over HTTP in webdriver-launcher↗2019-02-18

▶