CVE-2016-10659 — Missing Encryption of Sensitive Data in Poco

CWE-311 — Missing Encryption of Sensitive Data CWE-3107 documents5 sources

Severity

8.1HIGHNVD

EPSS

0.7%

top 27.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Macchina Poco Pocoproject Poco Hackerone Poco Node Module

Timeline

PublishedMay 29

Latest updateFeb 18

Description

poco - The POCO libraries, downloads source file resources used for compilation over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶NVDmacchina/poco1.7.7

▶npmpocoproject/poco1.5.4

▶CVEListV5hackerone/poco_node_moduleAll versions

🔴Vulnerability Details

GHSA

poco downloads Resources over HTTP↗2019-02-18

▶

OSV

poco downloads Resources over HTTP↗2019-02-18

▶

CVEList

CVE-2016-10659: poco - The POCO libraries, downloads source file resources used for compilation over HTTP, which leaves it vulnerable to MITM attacks↗2018-05-29

▶

💬Community

Bugzilla

CVE-2016-10659 poco: MITM due to resources download over HTTP [epel-all]↗2018-05-31

▶

Bugzilla

CVE-2016-10659 poco: MITM due to resources download over HTTP↗2018-05-31

▶

Bugzilla

CVE-2016-10659 poco: MITM due to resources download over HTTP [fedora-all]↗2018-05-31

▶