Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2017-16024

UNKNOWN
Published 2018-06-04T19:00:00Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2017-16024. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

HackerOne

sync-exec node module

Affected Versions:

All versions

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Tmp files readable by other users in sync-exec

GHSA-38h8-x697-gh8q

Advisory Details

Affected versions of `sync-exec` use files located in `/tmp/` to buffer command results before returning values. As `/tmp/` is almost always set with world readable permissions, this may allow low privilege users on the system to read the results of commands run via `sync-exec` under a higher privilege user. ## Recommendation There is currently no direct patch for `sync-exec`, as the `child_process.execSync` function provided in Node.js v0.12.0 and later provides the same functionality natively. The best mitigation currently is to update to Node.js v0.12.0 or later, and migrate all uses of `sync-exec` to `child_process.execSync()`.

Affected Packages

npm sync-exec
ECOSYSTEM: ≥0 ≤0.6.2

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-16024
WEB https://github.com/gvarsanyi/sync-exec/issues/17
WEB https://cwe.mitre.org/data/definitions/377.html
ADVISORY https://github.com/advisories/GHSA-38h8-x697-gh8q
WEB https://www.npmjs.com/advisories/310
WEB https://www.owasp.org/index.php/Insecure_Temporary_File

Advisory provided by GitHub Security Advisory Database. Published: November 9, 2018, Modified: September 7, 2023

References

https://cwe.mitre.org/data/definitions/377.html
https://www.owasp.org/index.php/Insecure_Temporary_File
https://github.com/gvarsanyi/sync-exec/issues/17
https://nodesecurity.io/advisories/310
Published: 2018-06-04T19:00:00Z
Last Modified: 2024-09-16T17:48:58.293Z
Copied to clipboard!