CVE-2017-16035: Cleartext Transmission of Sensitive Information

June 4, 2018 (updated October 9, 2019)

During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to an HTTP url. Because of this behavior an attacker with the ability to man-in-the-middle a developer or system performing a package installation could compromise the integrity of the installation.

References

nvd.nist.gov/vuln/detail/CVE-2017-16035

Detect and mitigate CVE-2017-16035 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →