Information disclosure in Node.js



Published: 2018-06-04 | Updated: 2020-07-17
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-16024
CWE-ID CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Node.js
Server applications / Web servers

Vendor Node.js Foundation

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU31290

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-16024

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Node.js: 0.11.0 - 0.11.8

External links

http://cwe.mitre.org/data/definitions/377.html
http://github.com/gvarsanyi/sync-exec/issues/17
http://nodesecurity.io/advisories/310
http://www.owasp.org/index.php/Insecure_Temporary_File


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###