Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTM4aDgteDY5Ny1naDhx
Tmp files readable by other users in sync-exec
Affected versions of sync-exec use files located in /tmp/ to buffer command results before returning values. As /tmp/ is almost always set with world readable permissions, this may allow low privilege users on the system to read the results of commands run via sync-exec under a higher privilege user.
Recommendation
There is currently no direct patch for sync-exec, as the child_process.execSync function provided in Node.js v0.12.0 and later provides the same functionality natively.
The best mitigation currently is to update to Node.js v0.12.0 or later, and migrate all uses of sync-exec to child_process.execSync().
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTM4aDgteDY5Ny1naDhx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: 8 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-38h8-x697-gh8q, CVE-2017-16024
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-16024
- https://github.com/gvarsanyi/sync-exec/issues/17
- https://cwe.mitre.org/data/definitions/377.html
- https://github.com/advisories/GHSA-38h8-x697-gh8q
- https://www.npmjs.com/advisories/310
- https://www.owasp.org/index.php/Insecure_Temporary_File
Blast Radius: 26.8
Affected Packages
npm:sync-exec
Dependent packages: 447Dependent repositories: 13,442
Downloads: 163,944 last month
Affected Version Ranges: <= 0.6.2
No known fixed version
All affected versions: 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.5.0, 0.6.0, 0.6.1, 0.6.2