Vulnerability-Lookup

GHSA-5M9C-634G-47VQ

Vulnerability from github – Published: 2019-02-18 23:35 – Updated: 2022-08-03 21:20

Summary

steroids downloads resources over HTTP

Details

Affected versions of steroids insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running steroids.

Recommendation

This vulnerability was discovered and reported in 2016, yet has not seen a patch issued as of 03/2018. As of 08/2022, the package is marked as deprecated and the GitHub repository is no longer publicly available.

The best path forward for mitigating this issue is to attempt to use an alternative module that is actively maintained and which provides similar functionality, such as the native PhoneGap API.

Severity ?

8.1 (High)


                  
                    CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "steroids"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.1.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-10581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-311"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:16:36Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Affected versions of `steroids` insecurely download an executable over an unencrypted HTTP connection. \n\nIn scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running `steroids`.\n\n\n## Recommendation\n\nThis vulnerability was discovered and reported in 2016, yet has not seen a patch issued as of 03/2018. As of 08/2022, [the package is marked as deprecated](https://www.npmjs.com/package/steroids) and the GitHub repository is no longer publicly available.\n\nThe best path forward for mitigating this issue is to attempt to use an alternative module that is actively maintained and which provides similar functionality, such as the native PhoneGap API.",
  "id": "GHSA-5m9c-634g-47vq",
  "modified": "2022-08-03T21:20:09Z",
  "published": "2019-02-18T23:35:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10581"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AppGyver/steroids"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AppGyver/steroids/blob/master/package.json#L101"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AppGyver/steroids/blob/master/package.json#L103-L104"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AppGyver/steroids/blob/master/package.json#L74"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/168"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "steroids downloads resources over HTTP"
}

CVE-2016-10581 (GCVE-0-2016-10581)

Vulnerability from cvelistv5 – Published: 2018-06-01 18:00 – Updated: 2024-09-16 18:33

Summary

Steroids is PhoneGap on Steroids, providing native UI elements, multiple WebViews and enhancements for better developer productivity. steroids downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested tarball with an attacker controlled tarball if the attacker is on the network or positioned in between the user and the remote server.

Severity ?

No CVSS data available.

CWE

CWE-311 - Missing Encryption of Sensitive Data (CWE-311)

Assigner

hackerone

References

URL

Tags

https://nodesecurity.io/advisories/168

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	HackerOne	steroids node module	Affected: All versions

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T03:30:19.075Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://nodesecurity.io/advisories/168"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "steroids node module",
          "vendor": "HackerOne",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        }
      ],
      "datePublic": "2018-04-26T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Steroids is PhoneGap on Steroids, providing native UI elements, multiple WebViews and enhancements for better developer productivity. steroids downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested tarball with an attacker controlled tarball if the attacker is on the network or positioned in between the user and the remote server."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-311",
              "description": "Missing Encryption of Sensitive Data (CWE-311)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-06-01T17:57:01",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://nodesecurity.io/advisories/168"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "DATE_PUBLIC": "2018-04-26T00:00:00",
          "ID": "CVE-2016-10581",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "steroids node module",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "HackerOne"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Steroids is PhoneGap on Steroids, providing native UI elements, multiple WebViews and enhancements for better developer productivity. steroids downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested tarball with an attacker controlled tarball if the attacker is on the network or positioned in between the user and the remote server."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Missing Encryption of Sensitive Data (CWE-311)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://nodesecurity.io/advisories/168",
              "refsource": "MISC",
              "url": "https://nodesecurity.io/advisories/168"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2016-10581",
    "datePublished": "2018-06-01T18:00:00Z",
    "dateReserved": "2017-10-29T00:00:00",
    "dateUpdated": "2024-09-16T18:33:59.022Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted