N/A

CVSS Score

Basic Information

CVE ID

CVE-2016-1000238

GHSA ID

GHSA-4v9q-hm2p-68c4

EPSS Score

CWE

Published

9/1/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-1000238

CVE-2016-1000238: Spoofing attack due to unvalidated KDC in node-krb5

Affected versions of node-krb5 do not validate the KDC prior to authenticating, which might allow an attacker with network access and enough time to spoof the KDC and impersonate a valid user without knowing their credentials.

Recommendation

It appears that this will remain unfixed indefinitely, as the Github issue for this vulnerability has been open since 2015, with no work on it since then.

At this time, the best available mitigation is to use an alternative module that is actively maintained and provides similar functionality. There are multiple modules fitting this criteria available on npm..

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2016-1000238

GHSA ID

GHSA-4v9q-hm2p-68c4

EPSS Score

CWE

Published

9/1/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

vuln_not_found

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
node-krb5	npm	>= 0.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description indicates a systemic lack of KDC validation in the authentication process, but no specific functions are identified in the provided information. The advisory references GitHub issue #13 (qesuto/node-krb5#13) which might contain implementation details, but without access to the actual codebase, commit diffs, or explicit function names from the vulnerability report, we cannot confidently map this vulnerability to specific functions. The vulnerability stems from a missing security control (KDC validation) in the Kerberos authentication workflow, but insufficient implementation details are provided to pinpoint exact functions with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `no**-kr**` *o not v*li**t* t** K** prior to *ut**nti**tin*, w*i** mi**t *llow *n *tt**k*r wit* n*twork ****ss *n* *nou** tim* to spoo* t** K** *n* imp*rson*t* * v*li* us*r wit*out knowin* t**ir *r***nti*ls. ## R**omm*n**tion

Reasoning

T** vuln*r**ility **s*ription in*i**t*s * syst*mi* l**k o* K** v*li**tion in t** *ut**nti**tion pro**ss, *ut no sp**i*i* *un*tions *r* i**nti*i** in t** provi*** in*orm*tion. T** **visory r***r*n**s *it*u* issu* #** (q*suto/no**-kr**#**) w*i** mi**t

N/A

Basic Information

Concerned about an active attack path?

CVE-2016-1000238: Spoofing attack due to unvalidated KDC in node-krb5

Recommendation

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI