CVE-2017-16024: Information Exposure

June 4, 2018 (updated October 9, 2019)

The sync-exec module is used to simulate child_process Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists.

References

github.com/gvarsanyi/sync-exec/issues/17
nvd.nist.gov/vuln/detail/CVE-2017-16024

Code Behaviors & Features

Detect and mitigate CVE-2017-16024 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →