CVE-2016-10594

ipip is a Node.js module to query geolocation information for an IP or domain, based on database by ipip.net. ipip downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.

CVSS v3 8.1 HIGH
CVSS v2.0 6.8 MEDIUM

8.1^/10

CVSS v3 : HIGH

Vector : AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://nodesecurity.io/advisories/184	Third Party Advisory
https://nodesecurity.io/advisories/184	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ipip_project:ipip:-:*:*:*:*:node.js:*:*

History

21 Nov 2024, 02:44

Type	Values Removed	Values Added
References	~~() https://nodesecurity.io/advisories/184 - Third Party Advisory~~	() https://nodesecurity.io/advisories/184 - Third Party Advisory

Information

Published : 2018-06-01 18:29

Updated : 2024-11-21 02:44

NVD link : CVE-2016-10594

Mitre link : CVE-2016-10594

CVE.ORG link : CVE-2016-10594

JSON object : View

Products Affected

ipip_project

ipip

CWE

CWE-311

Missing Encryption of Sensitive Data

CWE-310

Cryptographic Issues

{"id": "CVE-2016-10594", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2018-06-01T18:29:00.770", "references": [{"url": "https://nodesecurity.io/advisories/184", "tags": ["Third Party Advisory"], "source": "support@hackerone.com"}, {"url": "https://nodesecurity.io/advisories/184", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "support@hackerone.com", "description": [{"lang": "en", "value": "CWE-311"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-310"}]}], "descriptions": [{"lang": "en", "value": "ipip is a Node.js module to query geolocation information for an IP or domain, based on database by ipip.net. ipip downloads data resources over HTTP, which leaves it vulnerable to MITM attacks."}, {"lang": "es", "value": "ipip es un m\u00f3dulo de Node.js para consultar informaci\u00f3n de geolocalizaci\u00f3n para una IP o dominio, en base a la base de datos de ipip.net. ipip descarga recursos de datos por HTTP, lo que lo deja vulnerable a ataques MITM."}], "lastModified": "2024-11-21T02:44:20.520", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ipip_project:ipip:-:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "79F94EF3-345E-4FC0-A844-034F65BE8CB8"}], "operator": "OR"}]}], "sourceIdentifier": "support@hackerone.com"}