CVE-2017-16024

Опубликовано: 04 июн. 2018

Источник: nvd

CVSS3: 6.5

CVSS2: 4

EPSS Низкий

Описание

The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists.

Ссылки

https://cwe.mitre.org/data/definitions/377.html
Third Party Advisory
https://github.com/gvarsanyi/sync-exec/issues/17
Issue Tracking
Third Party Advisory
https://nodesecurity.io/advisories/310
Third Party Advisory
https://www.owasp.org/index.php/Insecure_Temporary_File
Third Party Advisory
https://cwe.mitre.org/data/definitions/377.html
Third Party Advisory
https://github.com/gvarsanyi/sync-exec/issues/17
Issue Tracking
Third Party Advisory
https://nodesecurity.io/advisories/310
Third Party Advisory
https://www.owasp.org/index.php/Insecure_Temporary_File
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:sync-exec_project:sync-exec:*:*:*:*:*:node.js:*:*

Версия до 0.6.2 (включая)

Конфигурация 2

cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*

Версия до 0.11.9 (исключая)

EPSS

Процентиль: 51%

0.00276

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-377

CWE-200

Связанные уязвимости

GHSA-38h8-x697-gh8q