sqlite3@2.1.19

Vulnerabilities

3 via 4 paths

Dependencies

23

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 3
Status
  • 3
  • 0
  • 0

high severity

Arbitrary File Overwrite

  • Vulnerable module: fstream
  • Introduced through: tar.gz@0.1.1

Detailed paths

  • Introduced through: sqlite3@2.1.19 tar.gz@0.1.1 fstream@0.1.31
    Remediation: Upgrade to sqlite3@2.2.0.
  • Introduced through: sqlite3@2.1.19 tar.gz@0.1.1 tar@0.1.20 fstream@0.1.31
    Remediation: Upgrade to sqlite3@2.2.0.

Overview

fstream is a package that supports advanced FS Streaming for Node.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Remediation

Upgrade fstream to version 1.0.12 or higher.

References

high severity

Arbitrary File Overwrite

  • Vulnerable module: tar
  • Introduced through: tar.gz@0.1.1

Detailed paths

  • Introduced through: sqlite3@2.1.19 tar.gz@0.1.1 tar@0.1.20
    Remediation: Upgrade to sqlite3@2.2.0.

Overview

tar is a full-featured Tar for Node.js.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hard-link to a file that already exists in the system, and a file that matches the hard-link may overwrite system's files with the contents of the extracted file.

Remediation

Upgrade tar to version 2.2.2, 4.4.2 or higher.

References

high severity

Symlink File Overwrite

  • Vulnerable module: tar
  • Introduced through: tar.gz@0.1.1

Detailed paths

  • Introduced through: sqlite3@2.1.19 tar.gz@0.1.1 tar@0.1.20
    Remediation: Upgrade to sqlite3@2.2.0.

Overview

tar is a full-featured Tar for Node.js.

Affected versions of this package are vulnerable to Symlink File Overwrite. It does not properly normalize symbolic links pointing to targets outside the extraction root. As a result, packages may hold symbolic links to parent and sibling directories and overwrite those files when the package is extracted.

Remediation

Upgrade tar to version 2.0.0 or higher.

References