Miggo Logo

CVE-2016-10641: Downloads Resources over HTTP in node-bsdiff-android

6.8

CVSS Score

Basic Information

EPSS Score
0.39308%
Published
9/18/2018
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
node-bsdiff-androidnpm<= 0.1.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability information clearly identifies insecure HTTP downloads as the root cause, but does not include actual source code, commit diffs, or specific function references. While we can infer that functions handling resource downloads would be vulnerable (e.g., functions using Node.js http module methods like http.get() for fetching updates), the lack of concrete code examples or package implementation details prevents high-confidence identification of specific functions. The advisory texts describe the vulnerability in general terms without pointing to specific functions or file paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `no**-*s*i**-*n*roi*` ins**ur*ly *ownlo** r*sour**s ov*r *TTP. In s**n*rios w**r* *n *tt**k*r **s * privil**** n*twork position, t**y **n mo*i*y or r*** su** r*sour**s *t will. W*il* t** *x**t s*v*rity o* imp**t *or * vuln*r**i

Reasoning

T** provi*** vuln*r**ility in*orm*tion *l**rly i**nti*i*s ins**ur* *TTP *ownlo**s *s t** root **us*, *ut *o*s not in*lu** **tu*l sour** *o**, *ommit *i**s, or sp**i*i* *un*tion r***r*n**s. W*il* w* **n in**r t**t *un*tions **n*lin* r*sour** *ownlo**s