8.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-10589

GHSA ID

GHSA-h4mc-r4f4-hcf4

EPSS Score

0.72648%

CWE

CWE-311

Published

2/18/2019

Updated

1/11/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-10589

CVE-2016-10589: selenium-binaries downloads resources over HTTP

Versions of selenium-binaries prior to 0.15.0 insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running selenium-binaries.

Recommendation

A fix for this vulnerability is available on the master branch of the repository as part of version 0.15.0.

Another mitigation currently available is to use an alternate package, such as selenium-webdriver, the official selenium bindings for node.js.

(GitHub Advisory)

8.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-10589

GHSA ID

GHSA-h4mc-r4f4-hcf4

EPSS Score

0.72648%

CWE

CWE-311

Published

2/18/2019

Updated

1/11/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
selenium-binaries	npm	< 0.15.0	0.15.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure HTTP URLs hardcoded in configuration objects (seleniumserver, chromedriver, iedriver) within lib/config.js. These URLs were used to download executables. While the URLs are part of the module's configuration data rather than traditional functions, the insecure protocol made the system vulnerable. The fix changed these static URL strings from 'http' to 'https', but no specific functions (e.g., download handlers or URL builders) were identified in the provided diff—only configuration properties were modified. Thus, no functions meet the criteria for inclusion with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `s*l*nium-*in*ri*s` prior to *.**.* ins**ur*ly *ownlo** *n *x**ut**l* ov*r *n un*n*rypt** *TTP *onn**tion. In s**n*rios w**r* *n *tt**k*r **s * privil**** n*twork position, it is possi*l* to int*r**pt t** r*spons* *n* r*pl*** t** *x**ut

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* *TTP URLs **r**o*** in *on*i*ur*tion o*j**ts (s*l*niums*rv*r, **rom**riv*r, i**riv*r) wit*in li*/*on*i*.js. T**s* URLs w*r* us** to *ownlo** *x**ut**l*s. W*il* t** URLs *r* p*rt o* t** mo*ul*'s *on*i*ur*tion **t*

8.1

Basic Information

Concerned about an active attack path?

CVE-2016-10589: selenium-binaries downloads resources over HTTP

Recommendation

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI