Description

nw is an installer for nw.js. nw downloads zipped resources over HTTP, It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Remediation

References

https://nodesecurity.io/advisories/166

Related Vulnerabilities

CVE-2021-36373 Vulnerability in maven package org.apache.ant:ant

CVE-2021-32691 Vulnerability in npm package data-connector-rock

CVE-2018-20677 Vulnerability in maven package org.webjars.bower:bootstrap-sass

CVE-2021-26291 Vulnerability in maven package org.apache.maven:apache-maven

CVE-2017-16206 Vulnerability in npm package cofee-script

Severity

Critical

Classification

CWE-310 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory