Description

nw is an installer for nw.js. nw downloads zipped resources over HTTP, It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Remediation

References

https://nodesecurity.io/advisories/166

Related Vulnerabilities

CVE-2020-1948 Vulnerability in maven package org.apache.dubbo:dubbo-common

CVE-2021-21119 Vulnerability in npm package electron

CVE-2018-25074 Vulnerability in npm package skeemas

CVE-2017-1000427 Vulnerability in maven package org.webjars.bower:marked

CVE-2017-1000189 Vulnerability in npm package ejs

Severity

Critical

Classification

CWE-310 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory