Miggo Logo

CVE-2016-10648: marionette-socket-host downloads Resources over HTTP

8.1

CVSS Score
3.0

Basic Information

EPSS Score
0.72638%
Published
8/15/2018
Updated
9/7/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
marionette-socket-hostnpm<= 0.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure downloading of an executable over HTTP, but the specific functions responsible for this behavior cannot be identified with high confidence due to: 1) No source code or commit diffs being available for analysis (package was removed from GitHub), 2) No function names or implementation details provided in vulnerability reports, 3) Lack of patching information showing what needed to be fixed. While the vulnerability clearly exists in the resource download mechanism, the exact functions/modules handling the HTTP fetch and executable installation cannot be determined from the available information.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `m*rion*tt*-so*k*t-*ost` ins**ur*ly *ownlo** *n *x**ut**l* ov*r *n un*n*rypt** *TTP *onn**tion. In s**n*rios w**r* *n *tt**k*r **s * privil**** n*twork position, it is possi*l* to int*r**pt t** r*spons* *n* r*pl*** t** *x**ut**

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* *ownlo**in* o* *n *x**ut**l* ov*r *TTP, *ut t** sp**i*i* *un*tions r*sponsi*l* *or t*is ****vior **nnot ** i**nti*i** wit* *i** *on*i**n** *u* to: *) No sour** *o** or *ommit *i**s **in* *v*il**l* *or *n*lysis (p