8.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-10611

GHSA ID

GHSA-8gf4-pcj6-54rp

EPSS Score

0.72638%

CWE

CWE-311

Published

2/18/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-10611

CVE-2016-10611: Downloads Resources over HTTP in strider-sauce

Affected versions of strider-sauce insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running strider-sauce.

Recommendation

While the package author has created a patch for this vulnerability, they have not yet published it to npm or bumped the version number.

In order to resolve the vulnerability, you will need to install the module manually from github:

npm install github:Strider-CD/strider-sauce#5ff6d65

As this vulnerability does not have a version bump included with the patch, it is possible that you have received a report for a vulnerable package, yet have installed the patched version and are no longer vulnerable. If that is the case, this advisory can be disregarded.

(GitHub Advisory)

8.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-10611

GHSA ID

GHSA-8gf4-pcj6-54rp

EPSS Score

0.72638%

CWE

CWE-311

Published

2/18/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
strider-sauce	npm	<= 0.6.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure HTTP downloads, but the provided information lacks specific code references, commit diffs, or file paths showing implementation details. While we can infer that functions handling resource downloads using HTTP would be vulnerable (e.g., HTTP client calls to fetch Sauce Connect executables), the absence of concrete code examples, GitHub patch details, or file paths prevents high-confidence identification of specific functions. The advisory only describes the vulnerability abstractly without pointing to exact code locations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `stri**r-s*u**` ins**ur*ly *ownlo** *n *x**ut**l* ov*r *n un*n*rypt** *TTP *onn**tion. In s**n*rios w**r* *n *tt**k*r **s * privil**** n*twork position, it is possi*l* to int*r**pt t** r*spons* *n* r*pl*** t** *x**ut**l* wit* *

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* *TTP *ownlo**s, *ut t** provi*** in*orm*tion l**ks sp**i*i* *o** r***r*n**s, *ommit *i**s, or *il* p*t*s s*owin* impl*m*nt*tion **t*ils. W*il* w* **n in**r t**t `*un*tions` **n*lin* r*sour** *ownlo**s usin* *TTP

8.1

Basic Information

Concerned about an active attack path?

CVE-2016-10611: Downloads Resources over HTTP in strider-sauce

Recommendation

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI