Skip to content

Downloads Resources over HTTP in apk-parser

High severity GitHub Reviewed Published Sep 1, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm apk-parser (npm)

Affected versions

< 0.1.6

Patched versions

0.1.6

Description

apk-parser is a tool to extract Android Manifest info from an APK file.

apk-parser versions below 0.1.6 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Recommendation

Update to version 0.1.6 or later.

References

Reviewed Aug 31, 2020
Published to the GitHub Advisory Database Sep 1, 2020
Last updated Jan 9, 2023

Severity

High

EPSS score

0.175%
(55th percentile)

Weaknesses

CVE ID

CVE-2016-10564

GHSA ID

GHSA-5g4r-87v2-jqvx

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.