CVE-2019-13173
Published: 2 July 2019
fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.
From the Ubuntu Security Team
It was discovered that npm/fstream incorrectly handled certain crafted tarballs. An attacker could use this vulnerability to write aritrary files to the filesystem.
Notes
Author | Note |
---|---|
ebarretto | According to a Github comment, the fix might not be enough. |
Priority
Status
Package | Release | Status |
---|---|---|
node-fstream Launchpad, Ubuntu, Debian |
bionic |
Released
(1.0.10-1ubuntu0.18.04.1)
|
cosmic |
Ignored
(end of life)
|
|
disco |
Released
(1.0.10-1ubuntu0.19.04.2)
|
|
eoan |
Released
(1.0.12-1)
|
|
focal |
Released
(1.0.12-1)
|
|
groovy |
Released
(1.0.12-1)
|
|
hirsute |
Released
(1.0.12-1)
|
|
impish |
Released
(1.0.12-1)
|
|
jammy |
Released
(1.0.12-1)
|
|
trusty |
Released
(0.1.24-1ubuntu0.14.04.1~esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
upstream |
Released
(1.0.12-1)
|
|
xenial |
Released
(0.1.24-1ubuntu0.16.04.1~esm1)
Available with Ubuntu Pro |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |