CVE-2016-10680: Downloads Resources over HTTP in adamvr-geoip-lite

September 1, 2020 (updated January 14, 2021)

adamvr-geoip-lite is a light weight native JavaScript implementation of GeoIP API from MaxMind adamvr-geoip-lite downloads geoip resources over HTTP, which leaves it vulnerable to MITM attacks. This impacts the integrity and availability of this geoip data that may alter the decisions made by an application using this data.

References

github.com/advisories/GHSA-h2jv-5v3f-7m7j
nodesecurity.io/advisories/283
nvd.nist.gov/vuln/detail/CVE-2016-10680
www.npmjs.com/advisories/283

Code Behaviors & Features

Detect and mitigate CVE-2016-10680 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →