Skip to content

CVE-2019-13173 (High) detected in fstream-0.1.31.tgz, fstream-1.0.11.tgz #116

New issue
New issue
Open
Open
CVE-2019-13173 (High) detected in fstream-0.1.31.tgz, fstream-1.0.11.tgz#116
Labels
security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Oct 20, 2020

CVE-2019-13173 - High Severity Vulnerability

Vulnerable Libraries - fstream-0.1.31.tgz, fstream-1.0.11.tgz

fstream-0.1.31.tgz

Advanced file system stream things

Library home page: https://registry.npmjs.org/fstream/-/fstream-0.1.31.tgz

Path to dependency file: angular/yarn.lock

Path to vulnerable library: angular/yarn.lock

Dependency Hierarchy:

  • karma-browserstack-launcher-1.3.0.tgz (Root Library)
    • browserstacktunnel-wrapper-2.0.2.tgz
      • unzip-0.1.11.tgz
        • fstream-0.1.31.tgz (Vulnerable Library)
fstream-1.0.11.tgz

Advanced file system stream things

Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz

Path to dependency file: angular/aio/yarn.lock

Path to vulnerable library: angular/aio/yarn.lock,angular/integration/injectable-def/yarn.lock,angular/integration/cli-hello-world/yarn.lock,angular/integration/cli-hello-world-ivy-compat/yarn.lock,angular/integration/ng_elements/yarn.lock,angular/integration/dynamic-compiler/yarn.lock,angular/integration/hello_world__closure/yarn.lock,angular/integration/cli-hello-world-ivy-minimal/yarn.lock,angular/integration/i18n/yarn.lock,angular/integration/hello_world__systemjs_umd/yarn.lock,angular/integration/ng_update/yarn.lock

Dependency Hierarchy:

  • lite-server-2.2.2.tgz (Root Library)
    • browser-sync-2.23.5.tgz
      • chokidar-1.7.0.tgz
        • fsevents-1.1.3.tgz
          • node-pre-gyp-0.6.39.tgz
            • tar-2.2.1.tgz
              • fstream-1.0.11.tgz (Vulnerable Library)

Found in HEAD commit: cf1f1c0344fa01406f61ff7437a72714be39b47e

Vulnerability Details

fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

Publish Date: 2019-07-02

URL: CVE-2019-13173

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173

Release Date: 2019-07-02

Fix Resolution: 1.0.12

Metadata

Metadata

Assignees

No one assigned

    Labels

    security vulnerabilitySecurity vulnerability detected by WhiteSource

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions