CVE-2020-10800

lix through 15.8.7 allows man-in-the-middle attackers to execute arbitrary code by modifying the HTTP client-server data stream so that the Location header is associated with attacker-controlled executable content in the postDownload field.

lix through 15.8.7 allows man-in-the-middle attackers to execute arbitrary code by modifying the HTTP client-server data stream so that the Location header is associated with attacker-controlled executable content in the postDownload field.

All versions of `lix` are vulnerable to Machine-In-The-Middle. The package accepts downloads with `http` and follows `location` header redirects for package downloads. This allows for an attacker in a privileged network position to intercept a lix package installation and redirect the download to a malicious source. ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.

All versions of `lix` are vulnerable to Machine-In-The-Middle. The package accepts downloads with `http` and follows `location` header redirects for package downloads. This allows for an attacker in a privileged network position to intercept a lix package installation and redirect the download to a malicious source. ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.

lix versiones hasta 15.8.7, permite a atacantes de tipo man-in-the-middle ejecutar código arbitrario mediante la modificación del flujo de datos de cliente-servidor HTTP para que el encabezado Location este asociado con contenido ejecutable controlado por el atacante en el campo postDownload.