Miggo Logo

CVE-2017-16003: windows-build-tools downloads Resources over HTTP

8.1

CVSS Score
3.0

Basic Information

EPSS Score
0.71888%
Published
11/9/2018
Updated
9/13/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
windows-build-toolsnpm< 1.0.01.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the insecure HTTP URL defined in the 'buildTools' object within src/constants.js. While no explicit download function is shown in the provided commit diff, this configuration value is directly used to fetch the executable. The commit fixes the issue by changing the protocol to HTTPS, confirming this configuration as the root cause. The lack of encryption in the URL definition makes any code using this value inherently vulnerable, even if the actual download function isn't explicitly shown in the provided snippets.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `win*ows-*uil*-tools` ins**ur*ly *ownlo** *n *x**ut**l* ov*r *n un*n*rypt** *TTP *onn**tion. In s**n*rios w**r* *n *tt**k*r **s * privil**** n*twork position, it is possi*l* to int*r**pt t** r*spons* *n* r*pl*** t** *x**ut**l*

Reasoning

T** vuln*r**ility st*ms *rom t** ins**ur* `*TTP` URL ***in** in t** '*uil*Tools' o*j**t wit*in `sr*/*onst*nts.js`. W*il* no *xpli*it *ownlo** `*un*tion` is s*own in t** provi*** *ommit *i**, t*is `*on*i*ur*tion` v*lu* is *ir**tly us** to **t** t** *x