CVE-2017-16024

Description

Affected versions of `sync-exec` use files located in `/tmp/` to buffer command results before returning values. As `/tmp/` is almost always set with world readable permissions, this may allow low privilege users on the system to read the results of commands run via `sync-exec` under a higher privilege user. ## Recommendation There is currently no direct patch for `sync-exec`, as the `child_process.execSync` function provided in Node.js v0.12.0 and later provides the same functionality natively. The best mitigation currently is to update to Node.js v0.12.0 or later, and migrate all uses of `sync-exec` to `child_process.execSync()`.

How to fix CVE-2017-16024

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2017-16024 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, <= 0.6.2

CVSS scores

References (6)

• ADVISORYgithub.com/advisories/GHSA-38h8-x697-gh8q
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-16024
• WEBcwe.mitre.org/data/definitions/377.html
• WEBgithub.com/gvarsanyi/sync-exec/issues/17
• WEBwww.npmjs.com