Insecure use of Tmp files

Affecting sync-exec package, ALL versions

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

sync-exec is an fs.execSync replacement for node <0.12.

Affected versions of this package use tmp directories in an insecure way. The file to create will allways return true, regardess if the directory already exists and/or belongs to another user. Any user on the server may read the contents of this tmp file and may expose confidential information to an attacker.

Remediation

There is no fix version for sync-exec.

References

CVSS Score

4.0
medium severity
  • Attack Vector
    Local
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Credit
maxnikulin
CVE
CVE-2017-16024
CWE
CWE-377
Snyk ID
npm:sync-exec:20160124
Disclosed
24 Jan, 2016
Published
16 Apr, 2017