NodeJS/cli/0.1.9
A tool for rapidly building command line apps
https://www.npmjs.com/package/cli
MIT
3 Security Vulnerabilities
Duplicate Advisory: Node CLI Allows Arbitrary File Overwrite
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000021
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000021
- https://nvd.nist.gov/vuln/detail/CVE-2016-10538
- https://github.com/node-js-libs/cli/issues/81
- https://web.archive.org/web/20190430172230/https://www.npmjs.com/advisories/95
- https://github.com/advisories/GHSA-3mrp-qhcj-mwv5
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-6cpc-mj5c-m9rq. This link is maintained to preserve external references.
Original Description
An issue exists in node-cli 0.1.0 through 0.11.3 due to predictable temporary file names in lockfile and logfile, which allows an attacker to overwrite files.
Arbitrary File Write in cli
Affected versions of cli
use predictable temporary file names. If an attacker can create a symbolic link at the location of one of these temporarly file names, the attacker can arbitrarily write to any file that the user which owns the cli
process has permission to write to.
Proof of Concept
By creating Symbolic Links at the following locations, the target of the link can be written to.
lock_file = '/tmp/' + cli.app + '.pid',
log_file = '/tmp/' + cli.app + '.log';
Recommendation
Update to version 1.0.0 or later.
Arbitrary File Write
lock_file = '/tmp/' + cli.app + '.pid',
log_file = '/tmp/' + cli.app + '.log';
The package node-cli
insecurely uses the lockfile and logfile. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.
59 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
1.0.1 | MIT | 2016-10-23 - 03:58 | over 7 years | |
1.0.0 | MIT | 2016-08-16 - 20:37 | over 7 years | |
0.11.3 | MIT | 3 | 2016-08-06 - 23:19 | almost 8 years |
0.11.2 | MIT | 3 | 2016-03-07 - 08:38 | about 8 years |
0.11.1 | MIT | 3 | 2015-11-02 - 21:12 | over 8 years |
0.11.0 | MIT | 3 | 2015-10-11 - 02:29 | over 8 years |
0.10.0 | MIT | 3 | 2015-09-06 - 03:14 | over 8 years |
0.9.0 | MIT | 3 | 2015-07-29 - 22:36 | almost 9 years |
0.8.0 | MIT | 3 | 2015-06-06 - 01:46 | almost 9 years |
0.7.1 | MIT | 3 | 2015-06-03 - 21:54 | almost 9 years |
0.7.0 | MIT | 3 | 2015-05-28 - 06:43 | almost 9 years |
0.6.6 | MIT | 3 | 2015-03-28 - 00:49 | about 9 years |
0.6.5 | MIT | 3 | 2014-10-20 - 09:10 | over 9 years |
0.6.4 | MIT | 3 | 2014-08-27 - 03:47 | over 9 years |
0.6.3 | MIT | 3 | 2014-06-03 - 01:59 | almost 10 years |
0.6.2 | MIT | 3 | 2014-05-05 - 00:02 | about 10 years |
0.6.0 | MIT | 3 | 2014-05-04 - 22:45 | about 10 years |
0.5.0 | MIT | 3 | 2014-04-24 - 04:56 | about 10 years |
0.4.5 | MIT | 3 | 2013-07-31 - 10:00 | almost 11 years |
0.4.4 | MIT | 3 | 2012-05-17 - 05:44 | almost 12 years |
0.4.4-2 | MIT | 3 | 2012-09-24 - 09:02 | over 11 years |
0.4.4-1 | MIT | 3 | 2012-05-17 - 05:46 | almost 12 years |
0.4.3 | MIT | 3 | 2012-04-29 - 01:44 | about 12 years |
0.4.2 | MIT | 3 | 2012-04-10 - 22:20 | about 12 years |
0.4.1 | MIT | 3 | 2012-02-24 - 21:54 | about 12 years |
0.4.0 | MIT | 3 | 2011-12-31 - 04:33 | over 12 years |
0.3.9 | MIT | 3 | 2011-12-31 - 04:17 | over 12 years |
0.3.8 | MIT | 3 | 2011-09-19 - 12:01 | over 12 years |
0.3.7 | MIT | 3 | 2011-06-30 - 02:40 | almost 13 years |
0.3.6 | MIT | 3 | 2011-05-24 - 09:52 | almost 13 years |
0.3.5 | MIT | 3 | 2011-05-24 - 09:48 | almost 13 years |
0.3.4 | MIT | 3 | 2011-05-22 - 00:29 | almost 13 years |
0.3.3 | MIT | 3 | 2011-05-19 - 20:54 | almost 13 years |
0.3.2 | MIT | 3 | 2011-05-19 - 10:31 | almost 13 years |
0.3.1 | MIT | 3 | 2011-05-16 - 10:41 | about 13 years |
0.3.0 | MIT | 3 | 2011-05-13 - 14:10 | about 13 years |
0.2.8 | MIT | 3 | 2011-03-12 - 00:18 | about 13 years |
0.2.7 | MIT | 3 | 2011-02-25 - 19:35 | about 13 years |
0.2.6 | MIT | 3 | 2011-02-02 - 08:26 | over 13 years |
0.2.5 | MIT | 3 | 2011-02-01 - 02:42 | over 13 years |
0.2.4-2 | MIT | 3 | 2011-01-15 - 00:41 | over 13 years |
0.2.4-1 | MIT | 3 | 2011-01-14 - 23:53 | over 13 years |
0.2.3-5 | MIT | 3 | 2011-01-13 - 10:24 | over 13 years |
0.2.3-4 | MIT | 3 | 2011-01-08 - 10:46 | over 13 years |
0.2.3-3 | MIT | 3 | 2011-01-08 - 10:43 | over 13 years |
0.2.3-2 | MIT | 3 | 2011-01-06 - 11:23 | over 13 years |
0.2.3-1 | MIT | 3 | 2011-01-06 - 11:14 | over 13 years |
0.2.2-1 | MIT | 3 | 2011-01-06 - 07:06 | over 13 years |
0.2.1-1 | MIT | 3 | 2011-01-05 - 01:10 | over 13 years |
0.2.0 | MIT | 3 | 2011-01-05 - 00:49 | over 13 years |
0.1.9 | MIT | 3 | 2011-01-05 - 00:38 | over 13 years |
0.1.8 | MIT | 3 | 2011-01-04 - 15:52 | over 13 years |
0.1.7 | MIT | 3 | 2011-01-04 - 04:06 | over 13 years |
0.1.6 | MIT | 3 | 2011-01-04 - 03:38 | over 13 years |
0.1.5 | MIT | 3 | 2011-01-04 - 03:32 | over 13 years |
0.1.4 | MIT | 3 | 2011-01-04 - 03:19 | over 13 years |
0.1.3 | MIT | 3 | 2011-01-04 - 02:42 | over 13 years |
0.1.1 | MIT | 3 | 2011-01-02 - 13:27 | over 13 years |
0.1.0 | MIT | 3 | 2011-01-01 - 07:20 | over 13 years |