CVE-2016-10563: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

February 18, 2019 (updated January 8, 2021)

During the installation process, the go-ipfs-deps module before 0.4.4 insecurely downloads resources over HTTP. This allows for a MITM attack to compromise the integrity of the resources used by this module and could allow for further compromise.

References

github.com/advisories/GHSA-g3xp-v2ff-x5c3
github.com/diasdavid/go-ipfs-dep/pull/12
nodesecurity.io/advisories/156
nvd.nist.gov/vuln/detail/CVE-2016-10563
www.npmjs.com/advisories/156

Code Behaviors & Features

Detect and mitigate CVE-2016-10563 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →