CVE-2016-10642
CVE-2016-10642
In short
CMake downloads binary files over unencrypted HTTP instead of secure HTTPS, allowing an attacker on the network to intercept and replace these files with malicious versions, potentially taking complete control of your computer.
Technical detail
CMake's x86 Linux binaries are fetched via insecure HTTP without integrity verification, enabling man-in-the-middle attacks where a network-positioned attacker can substitute the binary with malicious code, leading to arbitrary code execution during installation or runtime.
Summary generated and translated by AI from the official description.
cmake installs the cmake x86 linux binaries. cmake downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
Affected products
HackerOne · cmake node moduleWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://nodesecurity.io/advisories/233