Arbitrary File Overwrite

Affecting fstream package, versions <1.0.12

Do your applications use this vulnerable package? Test your applications

Overview

fstream is an package that supports advanced FS Streaming for Node.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Remediation

Upgrade fstream to version 1.0.12 or higher.

References

CVSS Score

7.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
Max Justicz
CVE
CVE-2019-13173
CWE
CWE-59
Snyk ID
SNYK-JS-FSTREAM-174725
Disclosed
15 May, 2019
Published
15 May, 2019