CVE-2017-16024

CWE-377CWE-200Information Exposure4 documents4 sources
Severity
6.5MEDIUM
EPSS
0.4%
top 41.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Nodejs Node.jsSync-exec Project Sync-execHackerone Sync-exec Node Module
Timeline
PublishedJun 4
Latest updateNov 9

Description

The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

CVEListV5hackerone/sync-exec_node_moduleAll versions
npmsync-exec0.6.2
NVDnodejs/node.js< 0.11.9

🔴Vulnerability Details

3
OSV
Tmp files readable by other users in sync-exec2018-11-09
GHSA
Tmp files readable by other users in sync-exec2018-11-09
CVEList
CVE-2017-16024: The sync-exec module is used to simulate child_process2018-06-04
CVE-2017-16024 (MEDIUM CVSS 6.5) | The sync-exec module is used to sim | cvebase.io