Main Vulnerability Database SB2018060421

SB2018060421 - Information disclosure in Node.js

Published: June 4, 2018 Updated: July 17, 2020

Security Bulletin ID SB2018060421

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2017-16024)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists.

Remediation

Install update from vendor's website.

References

https://cwe.mitre.org/data/definitions/377.html
https://github.com/gvarsanyi/sync-exec/issues/17
https://nodesecurity.io/advisories/310
https://www.owasp.org/index.php/Insecure_Temporary_File