CVE-2016-10673

ipip-coffee queries geolocation information from IP ipip-coffee downloads geolocation resources over HTTP, which leaves it vulnerable to MITM attacks. This could impact the integrity and availability of the data being used to make geolocation decisions by an application.

CVSS v3 8.1 HIGH
CVSS v2.0 6.8 MEDIUM

8.1^/10

CVSS v3 : HIGH

Vector : AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://nodesecurity.io/advisories/279	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ipip:ipip-coffee:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2018-06-04 16:29

Updated : 2023-12-10 12:30

NVD link : CVE-2016-10673

Mitre link : CVE-2016-10673

CVE.ORG link : CVE-2016-10673

JSON object : View

Products Affected

ipip

ipip-coffee

CWE

CWE-310

Cryptographic Issues

CWE-311

Missing Encryption of Sensitive Data

{"id": "CVE-2016-10673", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2018-06-04T16:29:01.923", "references": [{"url": "https://nodesecurity.io/advisories/279", "tags": ["Third Party Advisory"], "source": "support@hackerone.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-310"}]}, {"type": "Secondary", "source": "support@hackerone.com", "description": [{"lang": "en", "value": "CWE-311"}]}], "descriptions": [{"lang": "en", "value": "ipip-coffee queries geolocation information from IP ipip-coffee downloads geolocation resources over HTTP, which leaves it vulnerable to MITM attacks. This could impact the integrity and availability of the data being used to make geolocation decisions by an application."}, {"lang": "es", "value": "ipip-coffee consulta informaci\u00f3n de geolocalizaci\u00f3n de la IP. ipip-coffee descarga recursos binarios por HTTP, lo que lo deja vulnerable a ataques MITM. Esto podr\u00eda impactar la integridad y disponibilidad de los datos que se est\u00e1n empleando para que una aplicaci\u00f3n tome decisiones de geolocalizaci\u00f3n."}], "lastModified": "2019-10-09T23:16:59.840", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ipip:ipip-coffee:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "6B672E1A-2940-4F26-9731-9B019B721BCD", "versionEndIncluding": "1.0.9"}], "operator": "OR"}]}], "sourceIdentifier": "support@hackerone.com"}