CVE-2016-10573

{"id": "CVE-2016-10573", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2018-05-29T20:29:01.047", "references": [{"url": "https://nodesecurity.io/advisories/240", "tags": ["Third Party Advisory"], "source": "support@hackerone.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-310"}]}, {"type": "Secondary", "source": "support@hackerone.com", "description": [{"lang": "en", "value": "CWE-311"}]}], "descriptions": [{"lang": "en", "value": "baryton-saxophone is a module to install and launch Selenium Server for Mac, Linux and Windows. baryton-saxophone versions below 3.0.1 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server."}, {"lang": "es", "value": "baryton-saxophone es un m\u00f3dulo para instalar y ejecutar Selenium Server para Mac, Linux y Windows. baryton-saxophone en versiones anteriores a la 3.0.1 descarga recursos binarios por HTTP, lo que lo deja vulnerable a ataques MITM. Podr\u00eda ser posible provocar la ejecuci\u00f3n remota de c\u00f3digo (RCE) cambiando el binario solicitado por otro controlado por el atacante si \u00e9ste est\u00e1 en la red o posicionado entre el usuario y el servidor remoto."}], "lastModified": "2019-10-09T23:16:48.653", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:baryton-saxophone_project:baryton-saxophone:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "DE20C8BD-82CF-4A9E-B55B-5A5D1414D0BE", "versionEndExcluding": "3.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "support@hackerone.com"}