PT-2017-4329 · Node.Js · Chownr

Hackskop

Published

2017-06-15

Updated

2022-02-10

CVE-2017-18869

CVSS v3.1

2.5

Low

Vector

AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions: chownr package versions prior to 1.1.0 for Node.js 10.10

Description: The issue is related to a TOCTOU (Time-of-Check-to-Time-of-Use) problem in the chownr package, which can be exploited by a local attacker to trick it into descending into unintended directories via symlink attacks. This can potentially allow an attacker to gain unauthorized access to arbitrary directories.

Recommendations: For versions prior to 1.1.0, update the chownr package to version 1.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the chownr package until a patch is available.

Exploit

Fix

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-367

Related Identifiers

BDU:2024-01722

CVE-2017-18869

GHSA-C6RQ-RJC2-86V2

MGASA-2021-0169

RHSA-2020:2625

Affected Products

Chownr

PT-2017-4329 · Node.Js · Chownr

CVE-2017-18869

Weakness Enumeration

Related Identifiers

Affected Products

References · 20