CVE-2016-10648: marionette-socket-host downloads Resources over HTTP
8.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.72638%
CWE
Published
8/15/2018
Updated
9/7/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
marionette-socket-host | npm | <= 0.1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insecure downloading of an executable over HTTP, but the specific functions responsible for this behavior cannot be identified with high confidence due to: 1) No source code or commit diffs being available for analysis (package was removed from GitHub), 2) No function names or implementation details provided in vulnerability reports, 3) Lack of patching information showing what needed to be fixed. While the vulnerability clearly exists in the resource download mechanism, the exact functions/modules handling the HTTP fetch and executable installation cannot be determined from the available information.