A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.
The product checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Chownr | Chownr_project | * | 1.1.0 (excluding) |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-nodejs8-nodejs-0:8.17.0-2.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | RedHat | rh-nodejs8-nodejs-0:8.17.0-2.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | rh-nodejs8-nodejs-0:8.17.0-2.el7 | * |
| Node-chownr | Ubuntu | groovy | * |
| Node-chownr | Ubuntu | hirsute | * |
| Node-chownr | Ubuntu | impish | * |
| Node-chownr | Ubuntu | kinetic | * |
| Node-chownr | Ubuntu | lunar | * |
| Node-chownr | Ubuntu | mantic | * |
| Node-chownr | Ubuntu | trusty | * |