Time of Check Time of Use (TOCTOU) Affecting chownr package, versions <1.1.0
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Threat Intelligence
EPSS
0.04% (6th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID npm:chownr:20180731
- published 31 Jul 2018
- disclosed 31 Jul 2018
- credit Jeff Epler
Introduced: 31 Jul 2018
CVE-2017-18869 Open this link in a new tabHow to fix?
Upgrade chownr
to version 1.1.0 or higher.
Overview
chownr is a package that takes the same arguments as fs.chown()
Affected versions of this package are vulnerable to Time of Check Time of Use (TOCTOU). Affected versions of this package are vulnerable toTime of Check Time of Use (TOCTOU) attacks.
It does not dereference symbolic links and changes the owner of the link, which can trick it into descending into unintended trees if a non-symlink is replaced by a symlink at a critical moment:
fs.lstat(pathChild, function(er, stats) {
if (er)
return cb(er)
if (!stats.isSymbolicLink())
chownr(pathChild, uid, gid, then)