CVE-2017-16024 – sync-exec

Package

Manager: npm
Name: sync-exec
Vulnerable Version: >=0 <=0.6.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00276 pctl0.50665

Details

Tmp files readable by other users in sync-exec Affected versions of `sync-exec` use files located in `/tmp/` to buffer command results before returning values. As `/tmp/` is almost always set with world readable permissions, this may allow low privilege users on the system to read the results of commands run via `sync-exec` under a higher privilege user. ## Recommendation There is currently no direct patch for `sync-exec`, as the `child_process.execSync` function provided in Node.js v0.12.0 and later provides the same functionality natively. The best mitigation currently is to update to Node.js v0.12.0 or later, and migrate all uses of `sync-exec` to `child_process.execSync()`.

Metadata

Created: 2018-11-09T17:45:30Z
Modified: 2023-09-07T20:13:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-38h8-x697-gh8q/GHSA-38h8-x697-gh8q.json
CWE IDs: ["CWE-377"]
Alternative ID: GHSA-38h8-x697-gh8q
Finding: F028
Auto approve: 1