CVE-2017-18869 (Low) detected in chownr-1.0.1.tgz #165

mend-bolt-for-github · 2021-04-08T01:59:13Z

CVE-2017-18869 - Low Severity Vulnerability

Vulnerable Library - chownr-1.0.1.tgz

like `chown -R`

Library home page: https://registry.npmjs.org/chownr/-/chownr-1.0.1.tgz

Dependency Hierarchy:

browser-sync-2.24.3.tgz (Root Library)
- chokidar-1.7.0.tgz
  - fsevents-1.2.3.tgz
    - node-pre-gyp-0.9.1.tgz
      - tar-4.4.1.tgz
        
        ❌ chownr-1.0.1.tgz (Vulnerable Library)

Vulnerability Details

A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.

Publish Date: 2020-06-15

URL: CVE-2017-18869

CVSS 3 Score Details (2.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18869

Release Date: 2020-06-15

Fix Resolution: 1.1.0

Step up your Open Source Security Game with WhiteSource here

mend-bolt-for-github bot added the security vulnerability Security vulnerability detected by WhiteSource label Apr 8, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2017-18869 (Low) detected in chownr-1.0.1.tgz #165

CVE-2017-18869 (Low) detected in chownr-1.0.1.tgz #165

mend-bolt-for-github bot commented Apr 8, 2021

CVE-2017-18869 (Low) detected in chownr-1.0.1.tgz #165

CVE-2017-18869 (Low) detected in chownr-1.0.1.tgz #165

Comments

mend-bolt-for-github bot commented Apr 8, 2021

CVE-2017-18869 - Low Severity Vulnerability