CVE-2016-10538

Description

Affected versions of `cli` use predictable temporary file names. If an attacker can create a symbolic link at the location of one of these temporarly file names, the attacker can arbitrarily write to any file that the user which owns the `cli` process has permission to write to. ## Proof of Concept By creating Symbolic Links at the following locations, the target of the link can be written to. ``` lock_file = '/tmp/' + cli.app + '.pid', log_file = '/tmp/' + cli.app + '.log'; ``` ## Recommendation Update to version 1.0.0 or later.

How to fix CVE-2016-10538

To remediate CVE-2016-10538, upgrade the affected package to a fixed version below.

• —upgrade to 1.0.0 or later

Is CVE-2016-10538 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.0.0

References (5)

• ADVISORYgithub.com/advisories/GHSA-6cpc-mj5c-m9rq
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10538
• WEBbugs.debian.org/cgi-bin/bugreport.cgi?bug=809252
• WEBgithub.com/node-js-libs/cli/issues/81
• WEB