Tmp files readable by other users in sync-exec
Moderate severity
GitHub Reviewed
Published
Nov 9, 2018
to the GitHub Advisory Database
•
Updated Sep 7, 2023
Description
Published to the GitHub Advisory Database
Nov 9, 2018
Reviewed
Jun 16, 2020
Last updated
Sep 7, 2023
Affected versions of
sync-execuse files located in/tmp/to buffer command results before returning values. As/tmp/is almost always set with world readable permissions, this may allow low privilege users on the system to read the results of commands run viasync-execunder a higher privilege user.Recommendation
There is currently no direct patch for
sync-exec, as thechild_process.execSyncfunction provided in Node.js v0.12.0 and later provides the same functionality natively.The best mitigation currently is to update to Node.js v0.12.0 or later, and migrate all uses of
sync-exectochild_process.execSync().References