Vulnerability Description
The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.
CVSS Score
3.5
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cli Project | Cli | < 1.0.0 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809252Third Party Advisory
- https://github.com/node-js-libs/cli/issues/81ExploitThird Party Advisory
- https://nodesecurity.io/advisories/95ExploitThird Party Advisory
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809252Third Party Advisory
- https://github.com/node-js-libs/cli/issues/81ExploitThird Party Advisory
- https://nodesecurity.io/advisories/95ExploitThird Party Advisory
FAQ
What is CVE-2016-10538?
CVE-2016-10538 is a vulnerability with a CVSS score of 3.5 (LOW). The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.
How severe is CVE-2016-10538?
CVE-2016-10538 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-10538?
Check the references section above for vendor advisories and patch information. Affected products include: Cli Project Cli, Debian Debian Linux.