Miggo Logo

CVE-2016-10578: Downloads Resources over HTTP in unicode

N/A

CVSS Score

Basic Information

EPSS Score
0.39193%
Published
2/18/2019
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
unicodenpm< 9.0.09.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure HTTP downloads of UnicodeData.txt. Analysis shows:

  1. install.js contained resolution logic that would attempt HTTP downloads when local files weren't found
  2. package.json's postinstall hook triggered this logic automatically
  3. Patches modified both the file resolution priority and removed the automatic execution
  4. The systemfiles array modification and postinstall removal directly correlate to mitigating the HTTP download vector While exact function names aren't visible, the install.js file resolution logic and package.json postinstall hook are the primary execution paths that would appear in a profiler during vulnerable package installation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `uni*o**` ins**ur*ly *ownlo** r*sour**s ov*r *TTP. In s**n*rios w**r* *n *tt**k*r **s * privil**** n*twork position, t**y **n mo*i*y or r*** su** r*sour**s *t will. W*il* t** *x**t s*v*rity o* imp**t *or * vuln*r**ility lik* t*

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* *TTP *ownlo**s o* Uni*o****t*.txt. *n*lysis s*ows: *. inst*ll.js *ont*in** r*solution lo*i* t**t woul* *tt*mpt *TTP *ownlo**s w**n lo**l *il*s w*r*n't *oun* *. p**k***.json's postinst*ll *ook tri***r** t*is lo*i*