Downloads Resources over HTTP

Module: appium-chromedriver

Published: December 6th, 2016

Reported by: Adam Baldwin

CVE-NONE

CWE-818

Vulnerable: <2.9.4
Patched: >=2.9.4

Overview

Affected versions of appium-chromedriver insecurely download resources over HTTP.

In scenarios where an attacker has a privileged network position, they can modify or read items send over HTTP at will. In this case, that includes the chromedriver binary, which may result in remote code execution if overwritten with a malicious binary.

Remediation

Update to version 2.9.4 or later.