Vulnerability Details CVE-2019-13173
fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.007
EPSS Ranking 70.0%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 6.4
References
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00052.html
- https://github.com/npm/fstream/commit/6a77d2fa6e1462693cf8e46f930da96ec1b0bb22
- https://usn.ubuntu.com/4123-1/
- https://www.npmjs.com/advisories/886
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00052.html
- https://github.com/npm/fstream/commit/6a77d2fa6e1462693cf8e46f930da96ec1b0bb22
- https://usn.ubuntu.com/4123-1/
- https://www.npmjs.com/advisories/886
Products affected by CVE-2019-13173
-
cpe:2.3:a:fstream_project:fstream:0.0.1
-
cpe:2.3:a:fstream_project:fstream:0.1.0
-
cpe:2.3:a:fstream_project:fstream:0.1.1
-
cpe:2.3:a:fstream_project:fstream:0.1.10
-
cpe:2.3:a:fstream_project:fstream:0.1.11
-
cpe:2.3:a:fstream_project:fstream:0.1.12
-
cpe:2.3:a:fstream_project:fstream:0.1.13
-
cpe:2.3:a:fstream_project:fstream:0.1.14
-
cpe:2.3:a:fstream_project:fstream:0.1.15
-
cpe:2.3:a:fstream_project:fstream:0.1.16
-
cpe:2.3:a:fstream_project:fstream:0.1.17
-
cpe:2.3:a:fstream_project:fstream:0.1.18
-
cpe:2.3:a:fstream_project:fstream:0.1.19
-
cpe:2.3:a:fstream_project:fstream:0.1.2
-
cpe:2.3:a:fstream_project:fstream:0.1.20
-
cpe:2.3:a:fstream_project:fstream:0.1.21
-
cpe:2.3:a:fstream_project:fstream:0.1.22
-
cpe:2.3:a:fstream_project:fstream:0.1.23
-
cpe:2.3:a:fstream_project:fstream:0.1.24
-
cpe:2.3:a:fstream_project:fstream:0.1.25
-
cpe:2.3:a:fstream_project:fstream:0.1.26
-
cpe:2.3:a:fstream_project:fstream:0.1.27
-
cpe:2.3:a:fstream_project:fstream:0.1.28
-
cpe:2.3:a:fstream_project:fstream:0.1.29
-
cpe:2.3:a:fstream_project:fstream:0.1.3
-
cpe:2.3:a:fstream_project:fstream:0.1.30
-
cpe:2.3:a:fstream_project:fstream:0.1.31
-
cpe:2.3:a:fstream_project:fstream:0.1.4
-
cpe:2.3:a:fstream_project:fstream:0.1.5
-
cpe:2.3:a:fstream_project:fstream:0.1.6
-
cpe:2.3:a:fstream_project:fstream:0.1.7
-
cpe:2.3:a:fstream_project:fstream:0.1.8
-
cpe:2.3:a:fstream_project:fstream:0.1.9
-
cpe:2.3:a:fstream_project:fstream:1.0.0
-
cpe:2.3:a:fstream_project:fstream:1.0.1
-
cpe:2.3:a:fstream_project:fstream:1.0.10
-
cpe:2.3:a:fstream_project:fstream:1.0.11
-
cpe:2.3:a:fstream_project:fstream:1.0.2
-
cpe:2.3:a:fstream_project:fstream:1.0.3
-
cpe:2.3:a:fstream_project:fstream:1.0.4
-
cpe:2.3:a:fstream_project:fstream:1.0.5
-
cpe:2.3:a:fstream_project:fstream:1.0.6
-
cpe:2.3:a:fstream_project:fstream:1.0.7
-
cpe:2.3:a:fstream_project:fstream:1.0.8
-
cpe:2.3:a:fstream_project:fstream:1.0.9