Do your applications use this vulnerable package?
Test your applications
Overview
fstream is a package that supports advanced FS Streaming for Node.
Affected versions of this package are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.
Remediation
Upgrade fstream
to version 1.0.12 or higher.
References
CVSS Score
7.3
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityLow
-
AvailabilityLow
- Credit
- Max Justicz
- CVE
- CVE-2019-13173
- CWE
- CWE-59
- Snyk ID
- SNYK-JS-FSTREAM-174725
- Disclosed
- 15 May, 2019
- Published
- 15 May, 2019