NodeJS/cli/0.4.3

A tool for rapidly building command line apps

https://www.npmjs.com/package/cli
MIT

3 Security Vulnerabilities

Duplicate Advisory: Node CLI Allows Arbitrary File Overwrite

Published date: 2022-05-24T17:02:32Z
CVE: CVE-2016-1000021
Links:

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-6cpc-mj5c-m9rq. This link is maintained to preserve external references.

Original Description

An issue exists in node-cli 0.1.0 through 0.11.3 due to predictable temporary file names in lockfile and logfile, which allows an attacker to overwrite files.

Affected versions: ["0.1.0", "0.1.3", "0.1.5", "0.1.7", "0.1.8", "0.1.9", "0.2.1-1", "0.2.3-1", "0.2.3-2", "0.2.3-3", "0.2.4-2", "0.2.5", "0.2.6", "0.2.7", "0.2.8", "0.3.0", "0.3.3", "0.3.6", "0.3.8", "0.4.2", "0.4.3", "0.4.4", "0.4.4-2", "0.4.5", "0.6.3", "0.6.4", "0.6.5", "0.6.6", "0.7.1", "0.11.0", "0.11.2", "0.1.1", "0.1.4", "0.1.6", "0.2.0", "0.2.2-1", "0.2.3-4", "0.2.3-5", "0.2.4-1", "0.3.1", "0.3.2", "0.3.4", "0.3.5", "0.3.7", "0.3.9", "0.4.0", "0.4.1", "0.4.4-1", "0.5.0", "0.6.0", "0.6.2", "0.7.0", "0.8.0", "0.9.0", "0.10.0", "0.11.1", "0.11.3"]
Secure versions: [1.0.0, 1.0.1]
Recommendation: Update to version 1.0.1.

Arbitrary File Write in cli

Published date: 2019-02-18T23:40:03Z
CVE: CVE-2016-10538
Links:

Affected versions of cli use predictable temporary file names. If an attacker can create a symbolic link at the location of one of these temporarly file names, the attacker can arbitrarily write to any file that the user which owns the cli process has permission to write to.

Proof of Concept

By creating Symbolic Links at the following locations, the target of the link can be written to. lock_file = '/tmp/' + cli.app + '.pid', log_file = '/tmp/' + cli.app + '.log';

Recommendation

Update to version 1.0.0 or later.

Affected versions: ["0.1.0", "0.1.3", "0.1.5", "0.1.7", "0.1.8", "0.1.9", "0.2.1-1", "0.2.3-1", "0.2.3-2", "0.2.3-3", "0.2.4-2", "0.2.5", "0.2.6", "0.2.7", "0.2.8", "0.3.0", "0.3.3", "0.3.6", "0.3.8", "0.4.2", "0.4.3", "0.4.4", "0.4.4-2", "0.4.5", "0.6.3", "0.6.4", "0.6.5", "0.6.6", "0.7.1", "0.11.0", "0.11.2", "0.1.1", "0.1.4", "0.1.6", "0.2.0", "0.2.2-1", "0.2.3-4", "0.2.3-5", "0.2.4-1", "0.3.1", "0.3.2", "0.3.4", "0.3.5", "0.3.7", "0.3.9", "0.4.0", "0.4.1", "0.4.4-1", "0.5.0", "0.6.0", "0.6.2", "0.7.0", "0.8.0", "0.9.0", "0.10.0", "0.11.1", "0.11.3"]
Secure versions: [1.0.0, 1.0.1]
Recommendation: Update to version 1.0.1.

Arbitrary File Write

Published date: 2016-06-15
CVSS Score: 1.9
CVSS Vector: CVSS:3.0/AV:P/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Coordinating vendor: ^Lift Security
Links: 

lock_file = '/tmp/' + cli.app + '.pid',
log_file = '/tmp/' + cli.app + '.log';

The package node-cli insecurely uses the lockfile and logfile. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

Affected versions: ["0.1.0", "0.1.1", "0.1.3", "0.1.4", "0.1.5", "0.1.6", "0.1.7", "0.1.8", "0.1.9", "0.2.0", "0.2.1-1", "0.2.2-1", "0.2.3-1", "0.2.3-2", "0.2.3-3", "0.2.3-4", "0.2.3-5", "0.2.4-1", "0.2.4-2", "0.2.5", "0.2.6", "0.2.7", "0.2.8", "0.3.0", "0.3.1", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.3.6", "0.3.7", "0.3.8", "0.3.9", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.4.4-1", "0.4.4-2", "0.4.5", "0.5.0", "0.6.0", "0.6.2", "0.6.3", "0.6.4", "0.6.5", "0.6.6", "0.7.0", "0.7.1", "0.8.0", "0.9.0", "0.10.0", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "NodeJS/cli/0.1.0", "NodeJS/cli/0.1.3", "NodeJS/cli/0.1.5", "NodeJS/cli/0.1.7", "NodeJS/cli/0.1.8", "NodeJS/cli/0.1.9", "NodeJS/cli/0.2.1-1", "NodeJS/cli/0.2.3-1", "NodeJS/cli/0.2.3-2", "NodeJS/cli/0.2.3-3", "NodeJS/cli/0.2.4-2", "NodeJS/cli/0.2.5", "NodeJS/cli/0.2.6", "NodeJS/cli/0.2.7", "NodeJS/cli/0.2.8", "NodeJS/cli/0.3.0", "NodeJS/cli/0.3.3", "NodeJS/cli/0.3.6", "NodeJS/cli/0.3.8", "NodeJS/cli/0.4.2", "NodeJS/cli/0.4.3", "NodeJS/cli/0.4.4", "NodeJS/cli/0.4.4-2", "NodeJS/cli/0.4.5", "NodeJS/cli/0.6.3", "NodeJS/cli/0.6.4", "NodeJS/cli/0.6.5", "NodeJS/cli/0.6.6", "NodeJS/cli/0.7.1", "NodeJS/cli/0.11.0", "NodeJS/cli/0.11.2", "NodeJS/cli/0.1.1", "NodeJS/cli/0.1.4", "NodeJS/cli/0.1.6", "NodeJS/cli/0.2.0", "NodeJS/cli/0.2.2-1", "NodeJS/cli/0.2.3-4", "NodeJS/cli/0.2.3-5", "NodeJS/cli/0.2.4-1", "NodeJS/cli/0.3.1", "NodeJS/cli/0.3.2", "NodeJS/cli/0.3.4", "NodeJS/cli/0.3.5", "NodeJS/cli/0.3.7", "NodeJS/cli/0.3.9", "NodeJS/cli/0.4.0", "NodeJS/cli/0.4.1", "NodeJS/cli/0.4.4-1", "NodeJS/cli/0.5.0", "NodeJS/cli/0.6.0", "NodeJS/cli/0.6.2", "NodeJS/cli/0.7.0", "NodeJS/cli/0.8.0", "NodeJS/cli/0.9.0", "NodeJS/cli/0.10.0", "NodeJS/cli/0.11.1", "NodeJS/cli/0.11.3"]
Secure versions: [1.0.0, 1.0.1]
Recommendation: Update to version 1.0.0 or later

59 Other Versions

Version License Security Released
0.1.9 MIT 3 2011-01-05 - 00:38 over 14 years
0.1.8 MIT 3 2011-01-04 - 15:52 over 14 years
0.1.7 MIT 3 2011-01-04 - 04:06 over 14 years
0.1.6 MIT 3 2011-01-04 - 03:38 over 14 years
0.1.5 MIT 3 2011-01-04 - 03:32 over 14 years
0.1.4 MIT 3 2011-01-04 - 03:19 over 14 years
0.1.3 MIT 3 2011-01-04 - 02:42 over 14 years
0.1.1 MIT 3 2011-01-02 - 13:27 over 14 years
0.1.0 MIT 3 2011-01-01 - 07:20 over 14 years