CVE-2017-16024: Infoleak
First published: Thu Apr 26 2018(Updated: )
Affected versions of `sync-exec` use files located in `/tmp/` to buffer command results before returning values. As `/tmp/` is almost always set with world readable permissions, this may allow low privilege users on the system to read the results of commands run via `sync-exec` under a higher privilege user. ## Recommendation There is currently no direct patch for `sync-exec`, as the `child_process.execSync` function provided in Node.js v0.12.0 and later provides the same functionality natively. The best mitigation currently is to update to Node.js v0.12.0 or later, and migrate all uses of `sync-exec` to `child_process.execSync()`.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Sync-exec Project Sync-exec | <=0.6.2 | |
| Nodejs Node.js | <0.11.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2017-16024
- https://github.com/gvarsanyi/sync-exec/issues/17
- https://cwe.mitre.org/data/definitions/377.html
- https://github.com/advisories/GHSA-38h8-x697-gh8q (Advisory)
- https://www.npmjs.com/advisories/310
- https://www.owasp.org/index.php/Insecure_Temporary_File
- https://nodesecurity.io/advisories/310
- collector/github-advisory-latest
- alias/GHSA-38h8-x697-gh8q
- alias/CVE-2017-16024
- collector/github-advisory
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/references
- agent/weakness
- agent/first-publish-date
- agent/event
- agent/tags
- agent/description
- agent/trending
- package-manager/npm
- vendor/sync-exec project
- canonical/sync-exec project sync-exec
- version/sync-exec project sync-exec/0.6.2
- vendor/nodejs
- canonical/nodejs node.js