Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZjcGMtbWo1Yy1tOXJx
Arbitrary File Write in cli
Affected versions of cli use predictable temporary file names. If an attacker can create a symbolic link at the location of one of these temporarly file names, the attacker can arbitrarily write to any file that the user which owns the cli process has permission to write to.
Proof of Concept
By creating Symbolic Links at the following locations, the target of the link can be written to.
lock_file = '/tmp/' + cli.app + '.pid',
log_file = '/tmp/' + cli.app + '.log';
Recommendation
Update to version 1.0.0 or later.
Permalink: https://github.com/advisories/GHSA-6cpc-mj5c-m9rqJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZjcGMtbWo1Yy1tOXJx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 5 years ago
Updated: over 1 year ago
Identifiers: GHSA-6cpc-mj5c-m9rq, CVE-2016-10538
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-10538
- https://github.com/node-js-libs/cli/issues/81
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809252
- https://github.com/advisories/GHSA-6cpc-mj5c-m9rq
- https://www.npmjs.com/advisories/95
Blast Radius: 0.0
Affected Packages
npm:cli
Dependent packages: 777Dependent repositories: 104,831
Downloads: 3,572,988 last month
Affected Version Ranges: < 1.0.0
Fixed in: 1.0.0
All affected versions: 0.1.0, 0.1.1, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.2.0, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.6.0, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3
All unaffected versions: 1.0.0, 1.0.1