Affected versions of
cli use predictable temporary file names. If an attacker can create a symbolic link at the location of one of these temporarly file names, the attacker can arbitrarily write to any file that the user which owns the
cli process has permission to write to.
Proof of Concept
By creating Symbolic Links at the following locations, the target of the link can be written to.
lock_file = '/tmp/' + cli.app + '.pid', log_file = '/tmp/' + cli.app + '.log';
Update to version 1.0.0 or later.