Cryptographic issues in CMake - CVE-2016-10642
Published: June 4, 2018 / Updated: August 8, 2020
Vulnerability identifier: #VU37086
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2016-10642
CWE-ID: CWE-310
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Kitware
Affected software:
CMake
CMake
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
cmake installs the cmake x86 linux binaries. cmake downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
How to mitigate CVE-2016-10642
Install update from vendor's website.