{"id":"GHSA-4p7j-5ppx-rfhm","summary":"Downloads Resources over HTTP in apk-parser3","details":"Affected versions of `apk-parser3` insecurely download an executable over an unencrypted HTTP connection. \n\nIn scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running `apk-parser3`.\n\n\n## Recommendation\n\nUpdate to version 0.1.3 or greater.","aliases":["CVE-2016-10574"],"modified":"2023-11-08T03:58:13.491516Z","published":"2020-09-01T16:06:49Z","database_specific":{"github_reviewed_at":"2020-08-31T18:16:15Z","github_reviewed":true,"severity":"HIGH","cwe_ids":["CWE-311"],"nvd_published_at":null},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10574"},{"type":"WEB","url":"https://www.npmjs.com/advisories/245"}],"affected":[{"package":{"name":"apk-parser3","ecosystem":"npm","purl":"pkg:npm/apk-parser3"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.1.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-4p7j-5ppx-rfhm/GHSA-4p7j-5ppx-rfhm.json"}}],"schema_version":"1.7.3"}