<p>Upgrade to at least version 0.0.15</p>

Insecure Defaults Allow MitM Affecting ezseed-transmission package, versions >=0.0.10 <0.0.15

Snyk CVSS

Attack Complexity High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID npm:ezseed-transmission:20160729
published 29 Jul 2016
disclosed 29 Jul 2016
credit Adam Baldwin

Report a new vulnerability Found a mistake?

Introduced: 29 Jul 2016

CVE-2016-1000224 Open this link in a new tab CWE-295 Open this link in a new tab CWE-300 Open this link in a new tab

How to fix?

Upgrade to at least version 0.0.15

Overview

ezseed-transmission is a module that provides shell bindings for Ezseed transmission.

Between versions 0.0.10 and 0.0.14 (inclusive), ezseed-transmission would download a script from http://stedolan.github.io/jq/download/linux64/jq without checking the certificate. An attacker on the same network or on an ISP level could intercept the traffic and push their own version of the file, causing the attackers code to be executed.

Source: Node Security Project

References

https://github.com/ezseed/transmission/commit/4816b1b08288774c607a7df2a4209612c4d46caa