9.3

CVSS Score

Basic Information

CVE ID

CVE-2016-10669

GHSA ID

GHSA-p9pm-55vp-2jqw

EPSS Score

CWE

CWE-311

Published

2/18/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-10669

CVE-2016-10669:
Downloads Resources over HTTP in soci

Affected versions of soci insecurely download an executable over an unencrypted HTTP connection.

In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running soci.

Recommendation

No patch is currently available for this vulnerability.

The best mitigation is currently to avoid using this package, using a different package if available.

Alternatively, the risk of exploitation can be reduced by ensuring that this package is not installed while connected to a public network. If the package is installed on a private network, the only people who can exploit this vulnerability are those who have compromised your network or those who have privileged access to your ISP, such as Nation State Actors or Rogue ISP Employees.

(GitHub Advisory)

9.3

CVSS Score

Basic Information

CVE ID

CVE-2016-10669

GHSA ID

GHSA-p9pm-55vp-2jqw

EPSS Score

CWE

CWE-311

Published

2/18/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
soci	npm	<= 3.2.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided vulnerability information does not include specific code references, file paths, or function names from the 'soci' package. While the vulnerability description clearly identifies insecure HTTP downloads as the root cause, there is no concrete evidence in the provided data (commit diffs, patch details, or code examples) to pinpoint exact functions responsible for the insecure download. The advisory and CVE only describe the vulnerability at a high level without technical implementation details. Without access to the package's source code or installation scripts from vulnerable versions (<=3.2.2), we cannot confidently identify specific vulnerable functions with high certainty.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `so*i` ins**ur*ly *ownlo** *n *x**ut**l* ov*r *n un*n*rypt** *TTP *onn**tion. In s**n*rios w**r* *n *tt**k*r **s * privil**** n*twork position, it is possi*l* to int*r**pt t** r*spons* *n* r*pl*** t** *x**ut**l* wit* * m*li*iou

Reasoning

T** provi*** vuln*r**ility in*orm*tion *o*s not in*lu** sp**i*i* *o** r***r*n**s, *il* p*t*s, or *un*tion n*m*s *rom t** 'so*i' p**k***. W*il* t** vuln*r**ility **s*ription *l**rly i**nti*i*s ins**ur* *TTP *ownlo**s *s t** root **us*, t**r* is no *on

9.3

Basic Information

Concerned about an active attack path?

CVE-2016-10669: Downloads Resources over HTTP in soci

Recommendation

9.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2016-10669:
Downloads Resources over HTTP in soci

Vulnerability Intelligence
Miggo AI