CVE-2017-18869
LOWchownr < 1.1.0 - Time-of-check Time-of-use Race Condition via Symlink Attack
Title source: llmDescription
A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_misc
https://github.com/isaacs/chownr/issues/14
Third Party Advisory x_refsource_misc
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863985
Permissions Required x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1611614
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/npm:chownr:20180731
Scores
CVSS v3
2.5
EPSS
0.0033
EPSS Percentile
25.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-367
Status
published
Products (2)
chownr_project/chownr
< 1.1.0
npm/chownr
0 - 1.1.0npm
Published
Jun 15, 2020
Tracked Since
Feb 18, 2026