Description

ibapi is an Interactive Brokers API addon for NodeJS. ibapi downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. Before 2.5.6, it may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Remediation

References

https://nodesecurity.io/advisories/182

https://www.npmjs.com/package/ibapi/v/2.5.6

https://gitlord.com/summary/~dchem%2Fnode-ibapi-addon.git

https://gitlord.com/commitdiff/~dchem%2Fnode-ibapi-addon.git/c00dd7c98cca0423052148337e523eeb7776da68

Related Vulnerabilities

CVE-2017-16073 Vulnerability in npm package noderequest

CVE-2023-29216 Vulnerability in maven package org.apache.linkis:linkis-engineplugin-jdbc

CVE-2021-43838 Vulnerability in npm package jsx-slack

CVE-2016-10655 Vulnerability in npm package clang-extra

CVE-2021-42697 Vulnerability in maven package com.typesafe.akka:akka-http-core_2.13

Severity

Critical

Classification

CWE-310 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory