4.3

CVSS Score

Basic Information

CVE ID

CVE-2017-16041

GHSA ID

GHSA-w23f-f3c5-r9qh

EPSS Score

0.32812%

CWE

CWE-311

Published

7/24/2018

Updated

9/5/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16041

CVE-2017-16041: ikst Downloads Resources over HTTP

Affected versions of ikst insecurely download resources over HTTP.

In scenarios where an attacker has a privileged network position, they can modify or read such resources at will. While the exact severity of impact for a vulnerability like this is highly variable and depends on the behavior of the package itself, it ranges from being able to read sensitive information all the way up to and including remote code execution.

Recommendation

Upgrade to version 1.1.2 or greater.

(GitHub Advisory)

4.3

CVSS Score

Basic Information

CVE ID

CVE-2017-16041

GHSA ID

GHSA-w23f-f3c5-r9qh

EPSS Score

0.32812%

CWE

CWE-311

Published

7/24/2018

Updated

9/5/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ikst	npm	< 1.1.2	1.1.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure HTTP downloads. In Node.js, HTTP requests are typically made via http.get. While the exact ikst function wrapping this call isn't visible in the provided data, the core http.get method would appear in stack traces when the vulnerable download operation is executed. The medium confidence reflects the lack of direct code examples, but aligns with the vulnerability's nature and common implementation patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `ikst` ins**ur*ly *ownlo** r*sour**s ov*r *TTP. In s**n*rios w**r* *n *tt**k*r **s * privil**** n*twork position, t**y **n mo*i*y or r*** su** r*sour**s *t will. W*il* t** *x**t s*v*rity o* imp**t *or * vuln*r**ility lik* t*is

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* *TTP *ownlo**s. In No**.js, *TTP r*qu*sts *r* typi**lly m*** vi* `*ttp.**t`. W*il* t** *x**t ikst *un*tion wr*ppin* t*is **ll isn't visi*l* in t** provi*** **t*, t** *or* `*ttp.**t` m*t*o* woul* *pp**r in st**k t

4.3

Basic Information

Concerned about an active attack path?

CVE-2017-16041: ikst Downloads Resources over HTTP

Recommendation

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI