Plattform
nodejs
Komponente
cli
Behoben in
1.0.0
CVE-2016-10538 describes an Arbitrary File Access vulnerability affecting the cli package. This vulnerability allows an attacker to potentially write to arbitrary files on the system if they can create symbolic links at predictable temporary file locations used by the cli process. The vulnerability impacts versions prior to 1.0.0 and has been resolved with an update.
The impact of CVE-2016-10538 stems from the predictable temporary file names used by the cli package. An attacker who can create symbolic links at specific locations ( /tmp/<cli.app>.pid and /tmp/<cli.app>.log) can redirect the write operations of the cli process to arbitrary files. This could lead to unauthorized modification of configuration files, sensitive data, or even system binaries, depending on the permissions of the user running the cli process. Successful exploitation could grant an attacker significant control over the affected system.
CVE-2016-10538 was publicly disclosed in 2019. While no active exploitation campaigns are widely reported, the availability of a proof-of-concept demonstrates the vulnerability's exploitability. It is not currently listed on the CISA KEV catalog. The low CVSS score reflects the relatively limited scope of potential impact, but the ease of exploitation warrants attention.
Applications and systems utilizing the cli package, particularly those running in environments where the cli process has elevated privileges or access to sensitive data, are at risk. Shared hosting environments where multiple users share the same /tmp/ directory are particularly vulnerable.
• nodejs / server:
find /tmp/ -type l -print0 | xargs -0 ls -l | grep 'cli.app'• nodejs / server:
ps aux | grep 'cli' | grep /tmp• generic web:
Inspect /tmp/ directory for symbolic links with names related to cli.app.
discovery
disclosure
patch
Exploit-Status
EPSS
0.32% (55% Perzentil)
The primary mitigation for CVE-2016-10538 is to upgrade the cli package to version 1.0.0 or later, which addresses the predictable temporary file name issue. If upgrading is not immediately feasible, consider restricting the permissions of the user running the cli process to minimize the potential impact of a successful attack. While not a direct fix, implementing robust file system access controls can limit the attacker's ability to write to sensitive locations. Monitor system logs for suspicious file creation or modification activity.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2016-10538 is a vulnerability in the cli package that allows attackers to write to arbitrary files if they can create symbolic links in the /tmp/ directory.
You are affected if you are using a version of the cli package prior to 1.0.0.
Upgrade the cli package to version 1.0.0 or later. Consider restricting write access for the cli process user as a temporary workaround.
While no active campaigns are definitively linked, the vulnerability's ease of exploitation makes it a potential target.
Refer to the package's release notes and associated security advisories for details on the fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.