Miggo Logo
Miggo Vulnerability Database
CVE-2018-1000096

CVE-2018-1000096: tiny-json-http missing SSL certificate validation

8.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-1000096
GHSA ID
GHSA-7h42-5vj2-cq39
EPSS Score
0.40117%
CWE
CWE-295
Published
3/13/2018
Updated
9/13/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
tiny-json-httpnpm>= 1.0.1, < 7.0.07.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the explicit disabling of SSL certificate validation via the 'rejectUnauthorized = false' option in both _read.js and _write.js. This setting is a direct violation of CWE-295 (Improper Certificate Validation) and was removed in the patched commit 3c1e36d. These functions handle HTTP(S) requests, and disabling certificate validation exposes users to MITM attacks. The commit diff confirms these lines were the sole SSL-related changes, making the identification highly confident.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ri*nl*roux tiny-json-*ttp v*rsion *ll v*rsions sin** *ommit [****************************************](*ttps://*it*u*.*om/*ri*nl*roux/tiny-json-*ttp/*ommit/****************************************) (O*t ** ****) *ont*ins * Missin* SSL **rti*i**t* v*

Reasoning

T** vuln*r**ility st*ms *rom t** *xpli*it *is**lin* o* SSL **rti*i**t* v*li**tion vi* t** 'r*j**tUn*ut*oriz** = **ls*' option in *ot* _r***.js *n* _writ*.js. T*is s*ttin* is * *ir**t viol*tion o* *W*-*** (Improp*r **rti*i**t* V*li**tion) *n* w*s r*mo