N/A

CVSS Score

Basic Information

CVE ID

CVE-2016-10585

GHSA ID

GHSA-7vrq-vg6p-32fw

EPSS Score

0.72629%

CWE

CWE-269

Published

2/18/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-10585

CVE-2016-10585:
Downloads Resources over HTTP in libxl

Affected versions of libxl insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running libxl.

Recommendation

The module author recommends installing the bindings using a pinned and verified version of SDK instead of the automated download. More information is available in the modules README.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2016-10585

GHSA ID

GHSA-7vrq-vg6p-32fw

EPSS Score

0.72629%

CWE

CWE-269

Published

2/18/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
libxl	npm	<= 0.4.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly involves insecure HTTP downloads during the package's installation process. The recommendation to avoid automated downloads strongly implies that the installation script contains a function (e.g., in scripts/install.js) that fetches the SDK via HTTP. While the exact function name/path isn't provided in public advisories, the nature of the vulnerability (CWE-311) and npm package conventions make this the most logical and high-confidence conclusion.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `li*xl` ins**ur*ly *ownlo** *n *x**ut**l* ov*r *n un*n*rypt** *TTP *onn**tion. In s**n*rios w**r* *n *tt**k*r **s * privil**** n*twork position, it is possi*l* to int*r**pt t** r*spons* *n* r*pl*** t** *x**ut**l* wit* * m*li*io

Reasoning

T** vuln*r**ility *xpli*itly involv*s ins**ur* *TTP *ownlo**s *urin* t** p**k***'s inst*ll*tion pro**ss. T** r**omm*n**tion to *voi* *utom*t** *ownlo**s stron*ly impli*s t**t t** inst*ll*tion s*ript *ont*ins * *un*tion (*.*., in s*ripts/inst*ll.js) t

N/A

Basic Information

Concerned about an active attack path?

CVE-2016-10585: Downloads Resources over HTTP in libxl

Recommendation

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2016-10585:
Downloads Resources over HTTP in libxl

Vulnerability Intelligence
Miggo AI