#VU20065 UNIX hard link in fstream - CVE-2019-13173
Published: August 13, 2019
Vulnerability identifier: #VU20065
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-13173
CWE-ID: CWE-62
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
fstream
fstream
Software vendor:
Node.js Foundation
Node.js Foundation
Description
The vulnerability allows a remote attacker to overwrite files on the system.
The vulnerability exists due to insufficient validation of files within archives in fstream.DirWriter() function. A remote attacker can create a tarball containing a hardlink to a file that already exists in the system and overwrite arbitrary files on the system.
Successful exploitation of the vulnerability may allow remote code execution but requires the ability to pass specially crafted tarballs to the application.
Remediation
Install updates from vendor's website.