Miggo Logo
Miggo Vulnerability Database
CVE-2017-16003

CVE-2017-16003: windows-build-tools downloads Resources over HTTP

8.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-16003
GHSA ID
GHSA-9p47-w5xp-f4xr
EPSS Score
0.71888%
CWE
CWE-311
Published
11/9/2018
Updated
9/13/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
windows-build-toolsnpm< 1.0.01.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the insecure HTTP URL defined in the 'buildTools' object within src/constants.js. While no explicit download function is shown in the provided commit diff, this configuration value is directly used to fetch the executable. The commit fixes the issue by changing the protocol to HTTPS, confirming this configuration as the root cause. The lack of encryption in the URL definition makes any code using this value inherently vulnerable, even if the actual download function isn't explicitly shown in the provided snippets.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `win*ows-*uil*-tools` ins**ur*ly *ownlo** *n *x**ut**l* ov*r *n un*n*rypt** *TTP *onn**tion. In s**n*rios w**r* *n *tt**k*r **s * privil**** n*twork position, it is possi*l* to int*r**pt t** r*spons* *n* r*pl*** t** *x**ut**l*

Reasoning

T** vuln*r**ility st*ms *rom t** ins**ur* `*TTP` URL ***in** in t** '*uil*Tools' o*j**t wit*in `sr*/*onst*nts.js`. W*il* no *xpli*it *ownlo** `*un*tion` is s*own in t** provi*** *ommit *i**, t*is `*on*i*ur*tion` v*lu* is *ir**tly us** to **t** t** *x