CVE-2019-16775

EPSS 0.89%
Veröffentlicht 13.12.2019 01:15:10
Zuletzt bearbeitet 21.11.2024 04:31:09
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Unauthorized File Access in npm CLI before before version 6.13.3

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 14

NVD 8 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Enterprise Linux Eus Version8.1

Npmjs ≫ Npm Version < 6.13.3

Opensuse ≫ Leap Version15.1

Oracle ≫ Graalvm Version19.3.0.2 SwEditionenterprise

Oracle ≫ Graalvm Version20.3.3 SwEditionenterprise

Oracle ≫ Graalvm Version21.2.2 SwEditionenterprise

Fedoraproject ≫ Fedora Version31

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.89%	0.757

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:N/I:P/A:N
security-advisories@github.com	7.7	1.3	5.8	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

CWE-61 UNIX Symbolic Link (Symlink) Following

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

https://www.oracle.com/security-alerts/cpujan2020.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html

Third Party Advisory

Mailing List

https://access.redhat.com/errata/RHEA-2020:0330

Third Party Advisory

https://access.redhat.com/errata/RHSA-2020:0573

Third Party Advisory