CVE-2017-18869

low-risk

Published 2020-06-15

A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.

Do I need to act?

0.11% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 2.5/10 Low

LOCAL / HIGH complexity

Affected Products (1)

Chownr

Affected Vendors

Chownr Project

References (8)

Third Party Advisory https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863985

Permissions Required https://bugzilla.redhat.com/show_bug.cgi?id=1611614

Third Party Advisory https://github.com/isaacs/chownr/issues/14

Exploit https://snyk.io/vuln/npm:chownr:20180731

Third Party Advisory https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863985

Permissions Required https://bugzilla.redhat.com/show_bug.cgi?id=1611614

Third Party Advisory https://github.com/isaacs/chownr/issues/14

Exploit https://snyk.io/vuln/npm:chownr:20180731

/ 100

low-risk

Severity 6/34 · Minimal

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal