PT-2017-4329 · Node.Js · Chownr
Hackskop
·
Publicado
2017-06-15
·
Atualizado
2022-02-10
·
CVE-2017-18869
CVSS v3.1
2.5
Baixa
| Vetor | AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
chownr package versions prior to 1.1.0 for Node.js 10.10
Description:
The issue is related to a TOCTOU (Time-of-Check-to-Time-of-Use) problem in the chownr package, which can be exploited by a local attacker to trick it into descending into unintended directories via symlink attacks. This can potentially allow an attacker to gain unauthorized access to arbitrary directories.
Recommendations:
For versions prior to 1.1.0, update the chownr package to version 1.1.0 or later to resolve the issue.
As a temporary workaround, consider restricting access to the chownr package until a patch is available.
Exploit
Correção
Time Of Check To Time Of Use
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Chownr