Miggo Logo

CVE-2016-10557: appium-chromedriver downloads Resources over HTTP

8.1

CVSS Score
3.0

Basic Information

EPSS Score
0.73179%
Published
2/18/2019
Updated
9/12/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
appium-chromedrivernpm< 2.9.42.9.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from HTTP usage in CD_CDN configuration. Both installForPlatform() (which initiates the download) and getDownloadUrl() (which constructs the URL) directly handle the insecure resource fetching. The patch changes CD_CDN to HTTPS, confirming these functions were the execution path for the vulnerable behavior. A runtime profiler would show these functions when downloading Chromedriver binaries in vulnerable versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `*ppium-**rom**riv*r` ins**ur*ly *ownlo** r*sour**s ov*r *TTP. In s**n*rios w**r* *n *tt**k*r **s * privil**** n*twork position, t**y **n mo*i*y or r*** it*ms s*n* ov*r *TTP *t will. In t*is **s*, t**t in*lu**s t** **rom**riv*r

Reasoning

T** vuln*r**ility st*ms *rom *TTP us*** in **_**N *on*i*ur*tion. *ot* inst*ll*orPl*t*orm() (w*i** initi*t*s t** *ownlo**) *n* **t*ownlo**Url() (w*i** *onstru*ts t** URL) *ir**tly **n*l* t** ins**ur* r*sour** **t**in*. T** p*t** ***n**s **_**N to *TTP