Miggo Logo

CVE-2018-1000096: tiny-json-http missing SSL certificate validation

8.1

CVSS Score
3.0

Basic Information

EPSS Score
0.40117%
Published
3/13/2018
Updated
9/13/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
tiny-json-httpnpm>= 1.0.1, < 7.0.07.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the explicit disabling of SSL certificate validation via the 'rejectUnauthorized = false' option in both _read.js and _write.js. This setting is a direct violation of CWE-295 (Improper Certificate Validation) and was removed in the patched commit 3c1e36d. These functions handle HTTP(S) requests, and disabling certificate validation exposes users to MITM attacks. The commit diff confirms these lines were the sole SSL-related changes, making the identification highly confident.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ri*nl*roux tiny-json-*ttp v*rsion *ll v*rsions sin** *ommit [****************************************](*ttps://*it*u*.*om/*ri*nl*roux/tiny-json-*ttp/*ommit/****************************************) (O*t ** ****) *ont*ins * Missin* SSL **rti*i**t* v*

Reasoning

T** vuln*r**ility st*ms *rom t** *xpli*it *is**lin* o* SSL **rti*i**t* v*li**tion vi* t** 'r*j**tUn*ut*oriz** = **ls*' option in *ot* _r***.js *n* _writ*.js. T*is s*ttin* is * *ir**t viol*tion o* *W*-*** (Improp*r **rti*i**t* V*li**tion) *n* w*s r*mo