A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.
Weakness
The product checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Chownr | Chownr_project | * | 1.1.0 (excluding) |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-nodejs8-nodejs-0:8.17.0-2.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | RedHat | rh-nodejs8-nodejs-0:8.17.0-2.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | rh-nodejs8-nodejs-0:8.17.0-2.el7 | * |
| Node-chownr | Ubuntu | focal | * |
| Node-chownr | Ubuntu | groovy | * |
| Node-chownr | Ubuntu | hirsute | * |
| Node-chownr | Ubuntu | impish | * |
| Node-chownr | Ubuntu | kinetic | * |
| Node-chownr | Ubuntu | lunar | * |
| Node-chownr | Ubuntu | mantic | * |
| Node-chownr | Ubuntu | oracular | * |
| Node-chownr | Ubuntu | plucky | * |
| Node-chownr | Ubuntu | trusty | * |
Potential Mitigations
Related Attack Patterns
References
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863985
- https://bugzilla.redhat.com/show_bug.cgi?id=1611614
- https://github.com/isaacs/chownr/issues/14
- https://snyk.io/vuln/npm:chownr:20180731
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863985
- https://bugzilla.redhat.com/show_bug.cgi?id=1611614
- https://github.com/isaacs/chownr/issues/14
- https://snyk.io/vuln/npm:chownr:20180731