PT-2019-5176 · Node.Js+2 · Fstream+2

Publicado

2019-01-15

·

Atualizado

2022-11-11

·

CVE-2019-13173

CVSS v2.0

7.8

Alta

VetorAV:N/AC:L/Au:N/C:N/I:C/A:N
Name of the Vulnerable Software and Affected Versions fstream versions prior to 1.0.12
Description The issue exists due to insufficient input validation in the fstream.DirWriter() function. This can be exploited by a remote attacker to overwrite files in the system. Specifically, extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file.
Recommendations For versions prior to 1.0.12, upgrade to version 1.0.12 or later. As a temporary workaround, consider disabling the fstream.DirWriter() function until a patch is available. Restrict access to the fstream package to minimize the risk of exploitation. Avoid using the fstream.DirWriter() function in the affected API endpoints until the issue is resolved.

Correção

Link Following

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-59CWE-20

Identificadores relacionados

BDU:2020-01847
CVE-2019-13173
GHSA-XF7W-R453-M56C
OESA-2022-1584
OESA-2022-2084
OPENSUSE-SU-2019:1846-1
OPENSUSE-SU-2019:1907-1
OPENSUSE-SU-2019_1846-1
OPENSUSE-SU-2019_1907-1
SUSE-SU-2019:14246-1
SUSE-SU-2019:2055-1
SUSE-SU-2019:2078-1
SUSE-SU-2019:2081-1
SUSE-SU-2019:2099-1
SUSE-SU-2019:2181-1
SUSE-SU-2019_14246-1
SUSE-SU-2019_2055-1
SUSE-SU-2019_2078-1
SUSE-SU-2019_2081-1
SUSE-SU-2019_2099-1
SUSE-SU-2019_2181-1
SUSE-SU-2020:0059-1
SUSE-SU-2020_0059-1
USN-4123-1
USN-4863-1

Produtos afetados

Suse
Ubuntu
Fstream