GMS-2016-9: Tmp files readable by other users

January 24, 2016

The sync-exec module is used to simulate child_process.execSync in node Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists.

References

github.com/gvarsanyi/sync-exec/issues/17

Code Behaviors & Features

Detect and mitigate GMS-2016-9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →