Insecure use of Tmp files

Affecting sync-exec package, ALL versions

medium severity

Overview

sync-exec is an fs.execSync replacement for node <0.12.

Affected versions of this package use tmp directories in an insecure way. The file to create will allways return true, regardess if the directory already exists and/or belongs to another user. Any user on the server may read the contents of this tmp file and may expose confidential information to an attacker.

Remediation

There is no fix version for sync-exec.

References

Credit
maxnikulin
CWE
CWE-377
Snyk ID
npm:sync-exec:20160124
Disclosed
24 Jan, 2016
Published
16 Apr, 2017

Do your applications use this vulnerable package?