CVE-2017-16035

The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to a HTTP url. Because of this behavior an attacker with the ability to man-in-the-middle a developer or system performing a package installation could compromise the integrity of the installation.
References
Link Resource
https://nodesecurity.io/advisories/334 Third Party Advisory
https://nodesecurity.io/advisories/334 Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:hubspot:hubl-server:*:*:*:*:*:node.js:*:*

History

21 Nov 2024, 03:15

Type Values Removed Values Added
References () https://nodesecurity.io/advisories/334 - Third Party Advisory () https://nodesecurity.io/advisories/334 - Third Party Advisory

Information

Published : 2018-06-04 19:29

Updated : 2024-11-21 03:15


NVD link : CVE-2017-16035

Mitre link : CVE-2017-16035

CVE.ORG link : CVE-2017-16035


JSON object : View

Products Affected

hubspot

  • hubl-server
CWE
CWE-311

Missing Encryption of Sensitive Data

CWE-319

Cleartext Transmission of Sensitive Information