Miggo Logo

CVE-2016-10631: Downloads Resources over HTTP in jvminstall

9.3

CVSS Score

Basic Information

EPSS Score
0.72638%
Published
2/18/2019
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:C/I:C/A:C
Package NameEcosystemVulnerable VersionsFirst Patched Version
jvminstallnpm<= 0.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

While explicit function names aren't provided in advisories, the vulnerability fundamentally exists in whatever function performs the HTTP download of the JVM binary. In Node.js packages, this would typically involve http.get() or similar methods in a download implementation module. The high confidence comes from the vulnerability's nature (CWE-311) directly implicating the resource download mechanism as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `jvminst*ll` ins**ur*ly *ownlo** *n *x**ut**l* ov*r *n un*n*rypt** *TTP *onn**tion. In s**n*rios w**r* *n *tt**k*r **s * privil**** n*twork position, it is possi*l* to int*r**pt t** r*spons* *n* r*pl*** t** *x**ut**l* wit* * m*

Reasoning

W*il* *xpli*it *un*tion n*m*s *r*n't provi*** in **visori*s, t** vuln*r**ility *un**m*nt*lly *xists in w**t*v*r `*un*tion` p*r*orms t** *TTP *ownlo** o* t** JVM *in*ry. In No**.js p**k***s, t*is woul* typi**lly involv* `*ttp.**t()` or simil*r m*t*o*s