| Vulnerability Name: | CVE-2016-10579 (CCN-148977) | ||||||||||||||||||||||||||||
| Assigned: | 2016-12-18 | ||||||||||||||||||||||||||||
| Published: | 2016-12-18 | ||||||||||||||||||||||||||||
| Updated: | 2019-10-09 | ||||||||||||||||||||||||||||
| Summary: | Chromedriver is an NPM wrapper for selenium ChromeDriver. Chromedriver before 2.26.1 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server. | ||||||||||||||||||||||||||||
| CVSS v3 Severity: | 8.1 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) 7.1 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
7.1 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||
| CVSS v2 Severity: | 6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
| ||||||||||||||||||||||||||||
| Vulnerability Type: | CWE-310 | ||||||||||||||||||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2016-10579 Source: XF Type: UNKNOWN nodejs-cve201610579-code-exec(148977) Source: MISC Type: Third Party Advisory https://nodesecurity.io/advisories/160 Source: CCN Type: NPM Web site chromedriver | ||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||