Homepage
About Snyk

Insecure use of Tmp files Affecting sync-exec package, versions *

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.12% (48th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:sync-exec:20160124
  • published 16 Apr 2017
  • disclosed 24 Jan 2016
  • credit maxnikulin
Report a new vulnerability Found a mistake?

Introduced: 24 Jan 2016

CVE-2017-16024 Open this link in a new tab
CWE-377 Open this link in a new tab

How to fix?

There is no fix version for sync-exec.

Overview

sync-exec is an fs.execSync replacement for node <0.12.

Affected versions of this package use tmp directories in an insecure way. The file to create will allways return true, regardess if the directory already exists and/or belongs to another user. Any user on the server may read the contents of this tmp file and may expose confidential information to an attacker.

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
4 medium
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    None
  • Availability (A)
    None