Main Vulnerability Database Vulnerabilities #VU23921

#VU23921 UNIX symbolic link following in bin-links

Published: January 3, 2020 / Updated: January 5, 2020

Vulnerability identifier: #VU23921

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-61

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
bin-links

Software vendor:
isaacs

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a symlink following issue. A remote attacker can create a specially crafted symbolic link to files outside the thenode_modules folder through the bin field. This may allow attackers to access unauthorized files and gain access to sensitive information on the system.

Remediation

Update to version 1.1.5.

External links

https://www.npmjs.com/advisories/1435