CVE-2016-10534
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
electron-packager is a command line tool that packages Electron source code into `.app` and `.exe` packages. along with Electron. The `--strict-ssl` command line option in electron-packager >= 5.2.1 <= 6.0.0 || >=6.0.0 <= 6.0.2 defaults to false if not explicitly set to true. This could allow an attacker to perform a man in the middle attack.
electron-packager es una herramienta de línea de comandos que empaqueta código fuente Electron en los paquetes ".app" y ".exe" junto con Electron. La opción de línea de comandos "--strict-ssl" en electron-packager desde la versión 5.2.1 hasta la 6.0.0 y desde la versión 6.0.0 hasta la 6.0.2 se establece en false por defecto si no se marca como true explícitamente. Esto podría permitir que un atacante realice ataques Man-in-the-Middle (MitM).
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-10-29 CVE Reserved
- 2018-05-31 CVE Published
- 2024-03-05 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-295: Improper Certificate Validation
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://github.com/electron-userland/electron-packager/issues/333 | Issue Tracking | |
| https://nodesecurity.io/advisories/104 | Mitigation |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Electron-packager Project Search vendor "Electron-packager Project" | Electron-packager Search vendor "Electron-packager Project" for product "Electron-packager" | >= 5.2.1 <= 6.0.2 Search vendor "Electron-packager Project" for product "Electron-packager" and version " >= 5.2.1 <= 6.0.2" | node.js |
Affected
| ||||||