CVE-2016-10538

low-risk
Published 2018-05-31

The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

Do I need to act?

-
0.32% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.5/10 Low
NETWORK / LOW complexity

Affected Products (2)

Cli

Affected Vendors

Debian Cli Project

References (6)

Third Party Advisory https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809252
Exploit https://github.com/node-js-libs/cli/issues/81
Exploit https://nodesecurity.io/advisories/95
Third Party Advisory https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809252
Exploit https://github.com/node-js-libs/cli/issues/81
Exploit https://nodesecurity.io/advisories/95
24
/ 100
low-risk
Severity 16/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 7/34 · Low