CVE-2016-10534

low-risk
Published 2018-05-31

electron-packager is a command line tool that packages Electron source code into `.app` and `.exe` packages. along with Electron. The `--strict-ssl` command line option in electron-packager >= 5.2.1 <= 6.0.0 || >=6.0.0 <= 6.0.2 defaults to false if not explicitly set to true. This could allow an attacker to perform a man in the middle attack.

Do I need to act?

-
0.16% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Electron-Packager

Affected Vendors

Electron-Packager Project

References (4)

Issue Tracking https://github.com/electron-userland/electron-packager/issues/333
Mitigation https://nodesecurity.io/advisories/104
Issue Tracking https://github.com/electron-userland/electron-packager/issues/333
Mitigation https://nodesecurity.io/advisories/104
24
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal