CVE-2017-16024
Severity Score
6.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists.
El módulo sync-exec se emplea para simular child_process.execSync en la versiones de node anteriores a la 0.11.9. Sync-exec emplea directorios tmp como búfer antes de devolver valores. Otros usuarios en el servidor tienen acceso de lectura al directorio tmp, lo que podría permitir que un atacante en el servidor obtenga información confidencial del archivo tmp/del búfer mientras existe.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-10-29 CVE Reserved
- 2018-06-04 CVE Published
- 2023-10-26 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-377: Insecure Temporary File
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://cwe.mitre.org/data/definitions/377.html | Third Party Advisory | |
| https://github.com/gvarsanyi/sync-exec/issues/17 | Issue Tracking | |
| https://nodesecurity.io/advisories/310 | Third Party Advisory | |
| https://www.owasp.org/index.php/Insecure_Temporary_File | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Sync-exec Project Search vendor "Sync-exec Project" | Sync-exec Search vendor "Sync-exec Project" for product "Sync-exec" | <= 0.6.2 Search vendor "Sync-exec Project" for product "Sync-exec" and version " <= 0.6.2" | node.js |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | < 0.11.9 Search vendor "Nodejs" for product "Node.js" and version " < 0.11.9" | - |
Affected
| ||||||