UNIX Hard Link in fstream

#VU18601 UNIX Hard Link in fstream

Published: 2019-05-24

Vulnerability identifier: #VU18601

Vulnerability risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-62

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
fstream
Web applications / JS libraries

Vendor: Node.js Foundation

Description

The vulnerability allows a remote attacker to arbitrary file overwrite.

The vulnerability exists due to a file that matches the hardlink overwrites the system's file with the contents of the extracted file. A remote attacker can cause the software to operate on unauthorized files.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

fstream: 0.0.1 - v1.0.11

External links
http://snyk.io/vuln/SNYK-JS-FSTREAM-174725

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

UNIX Hard Link in fstream package for NPM