# FAL-01-004 Dependencies pulled via hard-coded HTTP links ### Impact _What kind of vulnerability is it? Who is impacted?_ This vulnerability might impact users or automated system that are building Falco from source. Basically, it was noticed that some dependencies in the CMake-files were download via hard-coded HTTP links. Since the dowload happened via a clear-text connection, an attacker with Man-in-the-Middle capabilities could spoof the connection to dowload malicius content instead of the legitimate dependencies. ### Patches _Has the problem been patched? What versions should users upgrade to?_ The problem has been addressed by https://github.com/falcosecurity/falco/pull/774 on Aug 17, 2019. The patch is part of the 0.18.0 release. Users who had built Falco from the source before the fix should build it again using a version of the source code either greater than or equal to **0.18.0** or that includes the above-mentioned patch. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Users can manually patch CMake-files ensuring all dependencies are pulled via HTTPS links. ### References _Are there any links users can visit to find out more?_ This vulnerability was initially reported in [this security audit](https://github.com/falcosecurity/falco/blob/master/audits/SECURITY_AUDIT_2019_07.pdf) and it's identified by the ID `FAL-01-004`. ### For more information If you have any questions or comments about this advisory: * Open an issue in [the Falco repository](https://github.com/falcosecurity/falco/issues/new/choose)