CVE-2017-16024

The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists.

Published: Jun 4, 2018
Updated: May 9, 2024
CVE: CVE-2017-16024
GHSA: GHSA-38h8-x697-gh8q
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

CWEs:

CWE-200
CWE-377

Affected Software
References

Software	From	Fixed in
sync-exec_project / sync-exec	-	0.6.2.x
nodejs / node.js	-	0.11.9
sync-exec	-	0.6.2.x

https://cwe.mitre.org/data/definitions/377.html
https://github.com/gvarsanyi/sync-exec/issues/17
https://nodesecurity.io/advisories/310
https://www.npmjs.com/advisories/310
https://www.owasp.org/index.php/Insecure_Temporary_File

Vulnerability Database

289,599

CVE-2017-16024