Insecure use of Tmp files Affecting sync-exec package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Insecure use of Tmp files vulnerabilities in an interactive lesson.
Start learning- Snyk IDnpm:sync-exec:20160124
- published16 Apr 2017
- disclosed24 Jan 2016
- creditmaxnikulin
Introduced: 24 Jan 2016
CVE-2017-16024 (opens in a new tab)How to fix?
There is no fix version for sync-exec.
Overview
sync-exec is an fs.execSync replacement for node <0.12.
Affected versions of this package use tmp directories in an insecure way. The file to create will allways return true, regardess if the directory already exists and/or belongs to another user. Any user on the server may read the contents of this tmp file and may expose confidential information to an attacker.