All the vulnerabilites related to npmjs - npm
Vulnerability from fkie_nvd
Published
2019-12-13 01:15
Modified
2024-11-21 04:31
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| npmjs | npm | * | |
| opensuse | leap | 15.1 | |
| oracle | graalvm | 19.3.0.2 | |
| fedoraproject | fedora | 31 | |
| redhat | enterprise_linux | 8.0 | |
| redhat | enterprise_linux_eus | 8.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A90BD4A6-0099-405D-933A-6D7A47C51970",
"versionEndExcluding": "6.13.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:graalvm:19.3.0.2:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "6B257954-6EF3-4CBF-A8A7-699F70F98153",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "92BC9265-6959-4D37-BE5E-8C45E98992F8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user\u0027s system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."
},
{
"lang": "es",
"value": "Las versiones del npm CLI en versiones anteriores a la 6.13.3 son vulnerables a una escritura de archivo arbitraria. No puede evitar el acceso a las carpetas fuera de la carpeta node_modules prevista a trav\u00e9s del campo bin. Una entrada construida correctamente en el campo bin de package.json permitir\u00eda al editor del paquete modificar y/o acceder a archivos arbitrarios en el sistema de un usuario cuando el paquete est\u00e9 instalado. Este comportamiento a\u00fan es posible mediante scripts de instalaci\u00f3n. Esta vulnerabilidad evita que un usuario utilice la opci\u00f3n de instalaci\u00f3n --ignore-scripts."
}
],
"id": "CVE-2019-16776",
"lastModified": "2024-11-21T04:31:10.063",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-13T01:15:10.913",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHEA-2020:0330"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0573"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0579"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0597"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0602"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHEA-2020:0330"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0573"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0579"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0597"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0602"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-11-13 18:15
Modified
2024-11-21 06:29
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| npmjs | npm | * | |
| npmjs | npm | * | |
| netapp | next_generation_application_programming_interface | - | |
| fedoraproject | fedora | 35 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F582C303-4B6A-4B12-9E0A-BEB12E1B93D1",
"versionEndIncluding": "7.24.2",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF29872C-4C3F-4DD4-ABEB-64246074752A",
"versionEndIncluding": "8.1.3",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:next_generation_application_programming_interface:-:*:*:*:*:*:*:*",
"matchCriteriaId": "444CE322-1245-4EEB-A5CA-9FCB011BF531",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI."
},
{
"lang": "es",
"value": "** EN DISPUTA ** El comando npm ci en npm versiones 7.x y 8.x hasta 8.1.3, procede con una instalaci\u00f3n incluso si la informaci\u00f3n de dependencia en package-lock.json difiere de package.json. Este comportamiento es incoherente con la documentaci\u00f3n, y facilita a atacantes la instalaci\u00f3n de malware que se supone que ha sido bloqueado por un requisito de coincidencia de versi\u00f3n exacta en package-lock.json. NOTA: El equipo de npm cree que esto no es una vulnerabilidad. Requerir\u00eda que alguien hiciera ingenier\u00eda social de package.json que tiene diferentes dependencias que package-lock.json. Ese usuario tendr\u00eda que tener acceso al sistema de archivos o de escritura para cambiar las dependencias. El equipo de npm afirma que evitar que los actores maliciosos realicen ingenier\u00eda social u obtengan acceso al sistema de archivos est\u00e1 fuera del alcance de la CLI de npm"
}
],
"id": "CVE-2021-43616",
"lastModified": "2024-11-21T06:29:31.227",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 6.0,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-13T18:15:07.537",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://docs.npmjs.com/cli/v7/commands/npm-ci"
},
{
"source": "cve@mitre.org",
"url": "https://docs.npmjs.com/cli/v8/commands/npm-ci"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/icatalina/CVE-2021-43616"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/commit/457e0ae61bbc55846f5af44afa4066921923490f"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/issues/2701"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/npm/cli/issues/2701#issuecomment-972900511"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/npm/cli/issues/2701#issuecomment-979054224"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXNVFKOF5ZYH5NIRWHKN6O6UBCHDV6FE/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://medium.com/cider-sec/this-time-we-were-lucky-85c0dcac94a0"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20211210-0002/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://docs.npmjs.com/cli/v7/commands/npm-ci"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://docs.npmjs.com/cli/v8/commands/npm-ci"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/icatalina/CVE-2021-43616"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/commit/457e0ae61bbc55846f5af44afa4066921923490f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/issues/2701"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/npm/cli/issues/2701#issuecomment-972900511"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/npm/cli/issues/2701#issuecomment-979054224"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXNVFKOF5ZYH5NIRWHKN6O6UBCHDV6FE/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://medium.com/cider-sec/this-time-we-were-lucky-85c0dcac94a0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20211210-0002/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-345"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-12-13 01:15
Modified
2024-11-21 04:31
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "92BC9265-6959-4D37-BE5E-8C45E98992F8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A90BD4A6-0099-405D-933A-6D7A47C51970",
"versionEndExcluding": "6.13.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:graalvm:19.3.0.2:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "6B257954-6EF3-4CBF-A8A7-699F70F98153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "53B2BB06-A2F7-4603-89C3-C8500E55483A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:graalvm:21.2.2:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "9D3BBC5B-9553-4EA6-B345-F47FA8F92D64",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user\u0027s system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."
},
{
"lang": "es",
"value": "Las versiones del npm CLI en versiones anteriores a la 6.13.3 son vulnerables a una escritura de archivo arbitraria. Es posible que los paquetes creen enlaces simb\u00f3licos a archivos fuera de la carpeta thenode_modules a trav\u00e9s del campo bin al momento de la instalaci\u00f3n. Una entrada construida correctamente en el campo bin de package.json permitir\u00eda a un editor de paquetes crear un enlace simb\u00f3lico que apunte a archivos arbitrarios en el sistema de un usuario cuando se instala el paquete. Este comportamiento todav\u00eda es posible mediante los scripts de instalaci\u00f3n. Esta vulnerabilidad evita que un usuario utilice la opci\u00f3n de instalaci\u00f3n --ignore-scripts."
}
],
"id": "CVE-2019-16775",
"lastModified": "2024-11-21T04:31:09.880",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-13T01:15:10.817",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHEA-2020:0330"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0573"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0579"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0597"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0602"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHEA-2020:0330"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0573"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0579"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0597"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0602"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-61"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-12-13 01:15
Modified
2024-11-21 04:31
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| npmjs | npm | * | |
| opensuse | leap | 15.1 | |
| oracle | graalvm | 19.3.0.2 | |
| fedoraproject | fedora | 31 | |
| redhat | enterprise_linux | 8.0 | |
| redhat | enterprise_linux_eus | 8.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A90A3634-8A7A-4F77-B15E-CED8B01204CC",
"versionEndExcluding": "6.13.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:graalvm:19.3.0.2:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "6B257954-6EF3-4CBF-A8A7-699F70F98153",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "92BC9265-6959-4D37-BE5E-8C45E98992F8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."
},
{
"lang": "es",
"value": "Las versiones de la CLI npm anteriores a 6.13.4 son vulnerables a una Sobrescritura de Archivos Arbitrarios. No puede impedir que los binarios existentes instalados globalmente sean sobrescritos por otras instalaciones de paquete. Por ejemplo, si un paquete fue instalado globalmente y cre\u00f3 un binario de servicio, cualquier instalaci\u00f3n posterior de paquetes que tambi\u00e9n crea un binario de servicio sobrescribir\u00e1 el binario de servicio anterior. Este comportamiento todav\u00eda es permitido en instalaciones locales y tambi\u00e9n por medio de scripts de instalaci\u00f3n. Esta vulnerabilidad omite a un usuario que usa la opci\u00f3n de instalaci\u00f3n --ignore-scripts."
}
],
"id": "CVE-2019-16777",
"lastModified": "2024-11-21T04:31:10.213",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-13T01:15:11.007",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHEA-2020:0330"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0573"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0579"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0597"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0602"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202003-48"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHEA-2020:0330"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0573"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0579"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0597"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0602"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202003-48"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-13 14:15
Modified
2024-11-21 06:58
Severity ?
Summary
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| npmjs | npm | * | |
| netapp | ontap_select_deploy_administration_utility | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2844387A-FF0C-4C1F-8BFF-BA3785AA6CF6",
"versionEndExcluding": "8.11.0",
"versionStartIncluding": "7.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E7CF3019-975D-40BB-A8A4-894E62BD3797",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=\u003cname\u003e`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm."
},
{
"lang": "es",
"value": "npm pack ignora las directivas de exclusi\u00f3n de archivos .gitignore y .npmignore a nivel de root cuando es ejecutado en un espacio de trabajo o con un flag de espacio de trabajo (es decir, \"--workspaces\", \"--workspace=(name)\"). Cualquiera que haya ejecutado \"npm pack\" o \"npm publish\" dentro de un espacio de trabajo, a partir de v7.9.0 y v7.13.0 respectivamente, puede estar afectado y haber publicado archivos en el registro de npm que no ten\u00eda intenci\u00f3n de incluir. Los usuarios deben actualizar a la \u00faltima versi\u00f3n parcheada de npm v8.11.0, ejecutar: npm i -g npm@latest . Las versiones de Node.js versiones v16.15.1, v17.19.1 y v18.3.0 incluyen la versi\u00f3n parcheada v8.11.0 de npm"
}
],
"id": "CVE-2022-29244",
"lastModified": "2024-11-21T06:58:47.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-13T14:15:09.027",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nodejs/node/pull/43210"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/nodejs/node/releases/tag/v16.15.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/nodejs/node/releases/tag/v17.9.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/nodejs/node/releases/tag/v18.3.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/releases/tag/v8.11.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/tree/latest/workspaces/libnpmpack"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/npm/npm-packlist"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220722-0007/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nodejs/node/pull/43210"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/nodejs/node/releases/tag/v16.15.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/nodejs/node/releases/tag/v17.9.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/nodejs/node/releases/tag/v18.3.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/releases/tag/v8.11.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/tree/latest/workspaces/libnpmpack"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/npm/npm-packlist"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220722-0007/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-07 19:15
Modified
2024-11-21 05:04
Severity ?
4.4 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
4.4 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
4.4 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
Summary
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E2C68D50-600A-4FAC-9C60-863A28AAC707",
"versionEndExcluding": "6.14.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like \"\u003cprotocol\u003e://[\u003cuser\u003e[:\u003cpassword\u003e]@]\u003chostname\u003e[:\u003cport\u003e][:][/]\u003cpath\u003e\". The password value is not redacted and is printed to stdout and also to any generated log files."
},
{
"lang": "es",
"value": "Las versiones de la CLI npm anteriores a 6.14.6, son susceptibles a una vulnerabilidad de exposici\u00f3n de informaci\u00f3n por medio de archivos de registro. La CLI admite las URL como \"://[[:]@][:][:][/]\". El valor de la contrase\u00f1a no es redactada y se imprime en stdout y tambi\u00e9n en cualquier archivo de registro generado"
}
],
"id": "CVE-2020-15095",
"lastModified": "2024-11-21T05:04:47.847",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-07T19:15:10.833",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202101-07"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202101-07"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-31 17:15
Modified
2024-11-21 06:18
Severity ?
8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in `package.json` manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multiple dependencies differ only in the case of their name, Arborist's internal data structure saw them as separate items that could coexist within the same level in the `node_modules` hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as `file:/some/path`, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem. For example, a package `pwn-a` could define a dependency in their `package.json` file such as `"foo": "file:/some/path"`. Another package, `pwn-b` could define a dependency such as `FOO: "file:foo.tgz"`. On case-insensitive file systems, if `pwn-a` was installed, and then `pwn-b` was installed afterwards, the contents of `foo.tgz` would be written to `/some/path`, and any existing contents of `/some/path` would be removed. Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc | Mitigation, Third Party Advisory | |
| security-advisories@github.com | https://www.npmjs.com/package/%40npmcli/arborist | ||
| security-advisories@github.com | https://www.oracle.com/security-alerts/cpuoct2021.html | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc | Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.npmjs.com/package/%40npmcli/arborist | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://www.oracle.com/security-alerts/cpuoct2021.html | Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:npmjs:arborist:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "D3A10E91-51B2-4817-B6BD-E18383B823B9",
"versionEndExcluding": "2.8.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A017D9F7-6B4C-4E21-A721-D97FD6A6330C",
"versionEndExcluding": "7.20.7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "53B2BB06-A2F7-4603-89C3-C8500E55483A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "01E88C86-8C04-4A4A-BF45-9082AA783056",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0F46497-4AB0-49A7-9453-CC26837BF253",
"versionEndExcluding": "1.0.1.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in `package.json` manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multiple dependencies differ only in the case of their name, Arborist\u0027s internal data structure saw them as separate items that could coexist within the same level in the `node_modules` hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as `file:/some/path`, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem. For example, a package `pwn-a` could define a dependency in their `package.json` file such as `\"foo\": \"file:/some/path\"`. Another package, `pwn-b` could define a dependency such as `FOO: \"file:foo.tgz\"`. On case-insensitive file systems, if `pwn-a` was installed, and then `pwn-b` was installed afterwards, the contents of `foo.tgz` would be written to `/some/path`, and any existing contents of `/some/path` would be removed. Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above."
},
{
"lang": "es",
"value": "\"@npmcli/arborist\", la librer\u00eda que calcula los trees de dependencia y maneja la jerarqu\u00eda de carpetas \"node_modules\" para la interfaz de l\u00ednea de comandos de npm, presenta como objetivo garantizar que los contratos de dependencia de los paquetes se cumplan, y que la extracci\u00f3n de los contenidos de los paquetes sea llevada a cabo siempre en la carpeta esperada. Esto es conseguido, en parte, al resolver los especificadores de dependencia definidos en los manifiestos \"package.json\" para las dependencias con un nombre espec\u00edfico, y anidando las carpetas para resolver las dependencias conflictivas. Cuando las dependencias m\u00faltiples difieren s\u00f3lo en el caso de su nombre, la estructura de datos interna de Arborist las ve\u00eda como elementos separados que pod\u00edan coexistir dentro del mismo nivel en la jerarqu\u00eda \"node_modules\". Sin embargo, en los sistemas de archivos que no distinguen entre may\u00fasculas y min\u00fasculas (como macOS y Windows), esto no es as\u00ed. Combinado con una dependencia de symlink como \"file:/some/path\", esto permit\u00eda a un atacante crear una situaci\u00f3n en la que se pod\u00edan escribir contenidos arbitrarios en cualquier ubicaci\u00f3n del sistema de archivos. Por ejemplo, un paquete \"pwn-a\" podr\u00eda definir una dependencia en su archivo \"package.json\" como \"\"foo\": \"file:/some/path\"\". Otro paquete, \"pwn-b\" podr\u00eda definir una dependencia como \"FOO: \"file:foo.tgz\"\". En los sistemas de archivos que no distinguen entre may\u00fasculas y min\u00fasculas, si se instalara \"pwn-a\" y luego se instalara \"pwn-b\", el contenido de \"foo.tgz\" se escribir\u00eda en \"/some/path\", y cualquier contenido existente de \"/some/path\" se eliminar\u00eda. Cualquiera usando npm versiones v7.20.6 o anteriores en un sistema de archivos que no distinga entre may\u00fasculas y min\u00fasculas est\u00e1 potencialmente afectado. Esto est\u00e1 parcheado en @npmcli/arborist 2.8.2 que se incluye en npm versiones v7.20.7 y superiores"
}
],
"id": "CVE-2021-39134",
"lastModified": "2024-11-21T06:18:39.567",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-31T17:15:08.147",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc"
},
{
"source": "security-advisories@github.com",
"url": "https://www.npmjs.com/package/%40npmcli/arborist"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.npmjs.com/package/%40npmcli/arborist"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-61"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-178"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-22 18:29
Modified
2024-11-21 04:12
Severity ?
Summary
An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://blog.npmjs.org/post/171169301000/v571 | Vendor Advisory | |
| cve@mitre.org | https://github.com/npm/npm/commit/74e149da6efe6ed89477faa81fef08eee7999ad0 | Third Party Advisory | |
| cve@mitre.org | https://github.com/npm/npm/issues/19883 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://blog.npmjs.org/post/171169301000/v571 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/npm/npm/commit/74e149da6efe6ed89477faa81fef08eee7999ad0 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/npm/npm/issues/19883 | Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:npmjs:npm:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "731C75C2-2367-4B65-99CC-B334D7FEAEB2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as \"next: 5.7.0\" and therefore automatically installed by an \"npm upgrade -g npm\" command, and also announced in the vendor\u0027s blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a \"correctMkdir\" issue."
},
{
"lang": "es",
"value": "Se ha descubierto un problema en un prelanzamiento de npm 5.7.0 2018-02-21 (marcado como \"next: 5.7.0\" y, por lo tanto, instalado autom\u00e1ticamente mediante un comando \"npm upgrade -g npm\" y anunciado en el blog del fabricante sin mencionar que se trata de un prelanzamiento). Podr\u00eda permitir que los usuarios locales omitan las restricciones de acceso planeadas debido a que la propiedad de los directorios /etc y /usr se cambia de forma inesperada. Esto se relaciona con un problema \"correctMkdir\"."
}
],
"id": "CVE-2018-7408",
"lastModified": "2024-11-21T04:12:05.503",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-22T18:29:00.253",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.npmjs.org/post/171169301000/v571"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/npm/npm/commit/74e149da6efe6ed89477faa81fef08eee7999ad0"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/npm/npm/issues/19883"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.npmjs.org/post/171169301000/v571"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/npm/npm/commit/74e149da6efe6ed89477faa81fef08eee7999ad0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/npm/npm/issues/19883"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-31 17:15
Modified
2024-11-21 06:18
Severity ?
8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. 1. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) 2. An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:npmjs:arborist:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "D3A10E91-51B2-4817-B6BD-E18383B823B9",
"versionEndExcluding": "2.8.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A017D9F7-6B4C-4E21-A721-D97FD6A6330C",
"versionEndExcluding": "7.20.7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "53B2BB06-A2F7-4603-89C3-C8500E55483A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "01E88C86-8C04-4A4A-BF45-9082AA783056",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0F46497-4AB0-49A7-9453-CC26837BF253",
"versionEndExcluding": "1.0.1.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project\u0027s `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. 1. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) 2. An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2."
},
{
"lang": "es",
"value": "\"@npmcli/arborist\", la biblioteca que calcula los \u00e1rboles de dependencia y maneja la jerarqu\u00eda de carpetas node_modules para la interfaz de l\u00ednea de comandos de npm, tiene como objetivo garantizar que se cumplan los contratos de dependencia de los paquetes, y que la extracci\u00f3n del contenido de los paquetes sea llevada a cabo siempre en la carpeta esperada. Esto es conseguido extrayendo el contenido de los paquetes en la carpeta \"node_modules\" de un proyecto. Si la carpeta \"node_modules\" del proyecto root o cualquiera de sus dependencias se sustituye de alg\u00fan modo por un enlace simb\u00f3lico, podr\u00eda permitir a Arborist escribir las dependencias de los paquetes en cualquier ubicaci\u00f3n arbitraria del sistema de archivos. Tenga en cuenta que los enlaces simb\u00f3licos contenidos en los artefactos de los paquetes se filtran, por lo que habr\u00eda que emplear otro medio para crear un enlace simb\u00f3lico \"node_modules\". 1. Un script \"preinstall\" podr\u00eda sustituir \"node_modules\" por un enlace simb\u00f3lico. (Esto es impedido usando \"--ignore-scripts\".) 2. Un atacante podr\u00eda suministrar al objetivo un repositorio git, indic\u00e1ndole que ejecute \"npm install --ignore-scripts\" en root. Esto podr\u00eda tener \u00e9xito, porque \"npm install --ignore-scripts\" no suele ser capaz de realizar cambios fuera del directorio del proyecto, por lo que podr\u00eda considerarse seguro. Esto est\u00e1 parcheado en @npmcli/arborist versi\u00f3n 2.8.2 que se incluye en npm versiones v7.20.7 y superiores. Para m\u00e1s informaci\u00f3n, incluyendo soluciones, consulte la referencia documento GHSA-gmw6-94gg-2rc2"
}
],
"id": "CVE-2021-39135",
"lastModified": "2024-11-21T06:18:39.773",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-31T17:15:08.207",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2"
},
{
"source": "security-advisories@github.com",
"url": "https://www.npmjs.com/package/%40npmcli/arborist"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.npmjs.com/package/%40npmcli/arborist"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-61"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-07-02 14:59
Modified
2024-11-21 02:51
Severity ?
Summary
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ibm:sdk:*:*:*:*:*:nodejs:*:*",
"matchCriteriaId": "F581B2CF-A05C-4ABB-9042-A34085A546D4",
"versionEndIncluding": "1.1.0.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:sdk:*:*:*:*:*:nodejs:*:*",
"matchCriteriaId": "748ABD64-797B-422E-A456-0A97AD24F29B",
"versionEndIncluding": "1.2.0.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:sdk:*:*:*:*:*:nodejs:*:*",
"matchCriteriaId": "3B824DD1-B652-47FF-B934-3C7A59DDF5DF",
"versionEndIncluding": "4.4.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BF2E637C-EA49-4DB6-B4D5-B4684A9549C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C1966CED-11A1-4328-A57E-308BE5E4CCD1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A9F46AD2-BB74-4391-8A4F-7BE49EF41F0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.3:*:*:*:*:*:*:*",
"matchCriteriaId": "EC36E36A-9592-49DA-AACE-B3638FC55F4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B98E9F42-08BC-49B5-90C8-AC3EA7960C45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.5:*:*:*:*:*:*:*",
"matchCriteriaId": "ABA37EF5-DF97-467B-9A56-1611345387FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.6:*:*:*:*:*:*:*",
"matchCriteriaId": "5F0BD0C1-2294-4AFB-B4AE-C81576FB9AFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4057D560-81EE-49ED-888C-89560DBE3348",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F87810E1-BDAD-455D-82E3-334CC102AB2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8BC00B3A-3C9D-4487-9686-775CBAA1CC42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.10:*:*:*:*:*:*:*",
"matchCriteriaId": "7C0A4F5B-4546-414C-A209-07C27ED1C944",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2515087F-B272-4B76-99F4-ACA0C2460046",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0C7016DE-A3A5-450B-9FBD-2C98A07FF3C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.13:*:*:*:*:*:*:*",
"matchCriteriaId": "8C1848A7-E68E-4CB4-B73C-C5200ABAC9DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.14:*:*:*:*:*:*:*",
"matchCriteriaId": "59F861AB-574A-41BF-8E2D-6440B35C2AA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.15:*:*:*:*:*:*:*",
"matchCriteriaId": "41C8CEF8-49E1-4CB0-837B-E85C76BF9DF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.16:*:*:*:*:*:*:*",
"matchCriteriaId": "8C7101A5-FDC9-4897-B8E8-6A07790D42A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.16-isaacs-manual:*:*:*:*:*:*:*",
"matchCriteriaId": "F7776F01-29AC-4161-9C91-C7392C6A356E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.17:*:*:*:*:*:*:*",
"matchCriteriaId": "3CADD766-8328-4669-BE66-A4757D5FB471",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.18:*:*:*:*:*:*:*",
"matchCriteriaId": "AD9792E9-2593-46B4-9633-E2F2DB11106B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.19:*:*:*:*:*:*:*",
"matchCriteriaId": "FF209248-8921-419A-86EB-30E7095E4514",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.20:*:*:*:*:*:*:*",
"matchCriteriaId": "2C0D6C34-E046-40BD-907D-0E2510C09A14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.21:*:*:*:*:*:*:*",
"matchCriteriaId": "E5CBB83F-19AD-44BD-B7D4-19C1A8F80011",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.22:*:*:*:*:*:*:*",
"matchCriteriaId": "D6E2EA97-156D-4870-8967-78E4ED6EF64F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.23:*:*:*:*:*:*:*",
"matchCriteriaId": "54961BCA-8730-4B40-8385-41F6D65797F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.24:*:*:*:*:*:*:*",
"matchCriteriaId": "B22FA598-E613-4652-92CD-237F749D13DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.25:*:*:*:*:*:*:*",
"matchCriteriaId": "B4F321AF-FCC7-456D-AFE2-2CEF9CBAFCC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.26:*:*:*:*:*:*:*",
"matchCriteriaId": "18F2EC65-2A47-4C45-8D58-63D18443B767",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.27:*:*:*:*:*:*:*",
"matchCriteriaId": "D0517A28-70F9-4947-BEF0-9CC645388BFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.28:*:*:*:*:*:*:*",
"matchCriteriaId": "C5DD5BBD-922E-4026-9DEC-98CF9411CE95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.29:*:*:*:*:*:*:*",
"matchCriteriaId": "63E078BA-8BDC-47EB-84B9-09B785FD1213",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.30:*:*:*:*:*:*:*",
"matchCriteriaId": "4B9971A7-1C18-43C0-97BC-27096609EFC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.31:*:*:*:*:*:*:*",
"matchCriteriaId": "0EA5107B-4347-4D43-ADA6-141527A40333",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.32:*:*:*:*:*:*:*",
"matchCriteriaId": "0C679CFA-50D4-430B-B372-113CE236EACC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.33:*:*:*:*:*:*:*",
"matchCriteriaId": "F7AA6FEE-C630-4545-BCCF-3C211461C6C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.34:*:*:*:*:*:*:*",
"matchCriteriaId": "682E8A32-1F1E-4427-BAD8-58596F85F170",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.35:*:*:*:*:*:*:*",
"matchCriteriaId": "C9827EF0-E340-4A75-9735-F20CDF09CA42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.36:*:*:*:*:*:*:*",
"matchCriteriaId": "E6C02C09-D738-45B1-BF6F-A4499E5F8D60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.37:*:*:*:*:*:*:*",
"matchCriteriaId": "EE85CACC-842F-46C7-966D-48E866055A5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.38:*:*:*:*:*:*:*",
"matchCriteriaId": "771BCA5F-B762-4569-AB46-08A13A4EFD5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.39:*:*:*:*:*:*:*",
"matchCriteriaId": "21E05024-3647-456D-A731-D19411FED2DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.40:*:*:*:*:*:*:*",
"matchCriteriaId": "89929EB1-D723-496B-A7C6-4B4CD9C176B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.10.41:*:*:*:*:*:*:*",
"matchCriteriaId": "D3EA4652-EF0E-414C-AEB8-AEFE788B66A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BC9002F9-87C4-4C7F-9BD9-430EB15CD4BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "21EF734D-9E6B-4E01-9AFE-C0B847D583A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.12.2:*:*:*:*:*:*:*",
"matchCriteriaId": "12606C39-6F39-4DDF-9B36-A160875B265F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.12.3:*:*:*:*:*:*:*",
"matchCriteriaId": "EC4D8789-33C3-498A-857D-CC6576732C31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.12.4:*:*:*:*:*:*:*",
"matchCriteriaId": "466E8851-6BE7-4716-AB16-3E985411C35C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.12.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E5C4DB21-F35A-4567-8B04-85DB3089CDF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.12.6:*:*:*:*:*:*:*",
"matchCriteriaId": "BA7E7436-117A-4F79-BA7A-2A0059BB9694",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.12.7:*:*:*:*:*:*:*",
"matchCriteriaId": "037511C2-3FA9-4A4C-996B-A1462C221DA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.12.8:*:*:*:*:*:*:*",
"matchCriteriaId": "65EEB1B9-2E75-46F4-B70C-94991D38B427",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:0.12.9:*:*:*:*:*:*:*",
"matchCriteriaId": "0E5C5750-10F3-45D7-AC9B-7EA06F4B3887",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0390D600-532D-4675-95BB-10EC4E06F3E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "35AAF7CD-9AE6-4A4B-858E-4B17031BD058",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5DCB6010-AC31-4B61-9DA6-E119ADC5D70B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E5364365-36F1-49C0-BF8D-2D5054BC7B1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0740684D-989A-4957-8AC1-AAB01A04E393",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "08C97202-6AEC-4B8D-B3F6-49F6AEF9CFD1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7EFA073A-9AC2-4162-9DDA-B6CD0AE53D3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4F8FD4B3-D515-486A-94A3-29CBDA2E25CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "55E18631-9502-42CC-A85A-EA5742FDC317",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4CCBC213-1524-4C88-9EB3-52E003070A3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "C928FB55-2F33-4458-8484-4010AE8883A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CEEFA5F-2B32-4CA0-84AD-E0ECA0F81078",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4754B0A8-A7D7-41A1-BFE5-10D84E7CEC1E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.3.1:rc.1:*:*:*:*:*:*",
"matchCriteriaId": "5545EA7D-77F3-439B-B524-E126E38FC0EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.3.1:rc.2:*:*:*:*:*:*",
"matchCriteriaId": "375D5E3C-4ED5-4BA2-868D-83DC64DA0293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D132104E-163C-47EE-B247-578D64AC88D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4E208FB1-A772-4002-BD56-3360BDDFEF37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.4.0:rc.1:*:*:*:*:*:*",
"matchCriteriaId": "C357BFEF-5156-4254-97D9-0D9CE98505BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.4.0:rc.2:*:*:*:*:*:*",
"matchCriteriaId": "8EC465B1-1FE1-4BCA-8754-C55B94947140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.4.0:rc.3:*:*:*:*:*:*",
"matchCriteriaId": "3E702637-0A91-4572-9932-529837214667",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.4.0:rc.4:*:*:*:*:*:*",
"matchCriteriaId": "EBAD975C-7A68-48B3-83CE-6876D92B1A0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:4.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "14BE6C0B-E6EC-4CD2-912B-45DE9F94BA59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "64F7E56E-CA65-47C3-9ADA-F13A834D3961",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "183A5888-01C5-4977-9C66-1467FFA6D457",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F811E8BB-F1C8-43BE-BEAD-FC4FE122ABEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FEDE8D29-7C15-44D1-8D5C-0E438D9DE029",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0DCA3C10-FB37-4256-812A-EB8A3A095E6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:5.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "54197CC5-9C7D-4DCE-A60F-625DE246E5A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:5.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6173A6E4-F472-46CF-9762-6F3CAAFD9C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B4C25A52-E3C0-4429-AB96-1E33523E51D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "590070D6-198A-456E-A55D-D0B06DD3FF8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:5.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "46FCC5E2-1106-4153-B8C6-5E9594735529",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:5.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "56778D45-8B99-406D-BE97-034D3A29F32E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:5.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C0C7E2F2-8C41-4F3B-848A-144DCA30FC69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:5.8.1:rc.1:*:*:*:*:*:*",
"matchCriteriaId": "22969DF2-6A8A-4483-9EEF-65DEE6A945E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:5.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "11778EAE-5DCD-4D4E-807B-FD3C0DC47BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:5.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4C203335-0CB9-4B38-80C1-344607FFAE29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "06A529ED-154E-40BA-86B3-297613BBD237",
"versionEndExcluding": "2.15.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B884EB02-113D-4867-BC74-CEA49F19142F",
"versionEndExcluding": "3.8.3",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers."
},
{
"lang": "es",
"value": "La CLI en npm en versiones anteriores a 2.15.1 y 3.x en versiones anteriores a 3.8.3, tal como se utiliza en Node.js 0.10 en versiones anteriores a 0.10.44, 0.12 en versiones anteriores a 0.12.13, 4 en versiones anteriores a 4.4.2 y 5 en versiones anteriores a 5.10.0, incluye tokens portadores con peticiones arbitrarias, lo que permite a servidores HTTP remotos obtener informaci\u00f3n sensible leyendo cabeceras de autorizaci\u00f3n."
}
],
"id": "CVE-2016-3956",
"lastModified": "2024-11-21T02:51:01.750",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-07-02T14:59:19.417",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21980827"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/npm/npm/issues/8380"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21980827"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/npm/npm/issues/8380"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2021-43616
Vulnerability from cvelistv5
Published
2021-11-13 00:00
Modified
2024-08-04 04:03
Severity ?
EPSS score ?
Summary
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:08.795Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/cli/issues/2701"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.npmjs.com/cli/v7/commands/npm-ci"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/icatalina/CVE-2021-43616"
},
{
"tags": [
"x_transferred"
],
"url": "https://medium.com/cider-sec/this-time-we-were-lucky-85c0dcac94a0"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211210-0002/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/cli/commit/457e0ae61bbc55846f5af44afa4066921923490f"
},
{
"name": "FEDORA-2022-97b214b298",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXNVFKOF5ZYH5NIRWHKN6O6UBCHDV6FE/"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.npmjs.com/cli/v8/commands/npm-ci"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/cli/issues/2701#issuecomment-979054224"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/cli/issues/2701#issuecomment-972900511"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:H/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/npm/cli/issues/2701"
},
{
"url": "https://docs.npmjs.com/cli/v7/commands/npm-ci"
},
{
"url": "https://github.com/icatalina/CVE-2021-43616"
},
{
"url": "https://medium.com/cider-sec/this-time-we-were-lucky-85c0dcac94a0"
},
{
"url": "https://security.netapp.com/advisory/ntap-20211210-0002/"
},
{
"url": "https://github.com/npm/cli/commit/457e0ae61bbc55846f5af44afa4066921923490f"
},
{
"name": "FEDORA-2022-97b214b298",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXNVFKOF5ZYH5NIRWHKN6O6UBCHDV6FE/"
},
{
"url": "https://docs.npmjs.com/cli/v8/commands/npm-ci"
},
{
"url": "https://github.com/npm/cli/issues/2701#issuecomment-979054224"
},
{
"url": "https://github.com/npm/cli/issues/2701#issuecomment-972900511"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43616",
"datePublished": "2021-11-13T00:00:00",
"dateReserved": "2021-11-13T00:00:00",
"dateUpdated": "2024-08-04T04:03:08.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-16776
Vulnerability from cvelistv5
Published
2019-12-13 00:55
Modified
2024-08-05 01:24
Severity ?
EPSS score ?
Summary
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
References
| ▼ | URL | Tags |
|---|---|---|
| https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli | x_refsource_MISC | |
| https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46 | x_refsource_CONFIRM | |
| https://www.oracle.com/security-alerts/cpujan2020.html | x_refsource_MISC | |
| http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html | vendor-advisory, x_refsource_SUSE | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/ | vendor-advisory, x_refsource_FEDORA | |
| https://access.redhat.com/errata/RHEA-2020:0330 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2020:0573 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2020:0579 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2020:0597 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2020:0602 | vendor-advisory, x_refsource_REDHAT |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.040Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "openSUSE-SU-2020:0059",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
},
{
"name": "FEDORA-2020-595ce5e3cc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
},
{
"name": "RHEA-2020:0330",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHEA-2020:0330"
},
{
"name": "RHSA-2020:0573",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0573"
},
{
"name": "RHSA-2020:0579",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0579"
},
{
"name": "RHSA-2020:0597",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0597"
},
{
"name": "RHSA-2020:0602",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0602"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cli",
"vendor": "npm",
"versions": [
{
"lessThan": "6.13.3",
"status": "affected",
"version": "\u003c 6.13.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user\u0027s system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-07T18:33:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "openSUSE-SU-2020:0059",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
},
{
"name": "FEDORA-2020-595ce5e3cc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
},
{
"name": "RHEA-2020:0330",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHEA-2020:0330"
},
{
"name": "RHSA-2020:0573",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0573"
},
{
"name": "RHSA-2020:0579",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0579"
},
{
"name": "RHSA-2020:0597",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0597"
},
{
"name": "RHSA-2020:0602",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0602"
}
],
"source": {
"advisory": "GHSA-x8qc-rrcw-4r46",
"discovery": "UNKNOWN"
},
"title": "Unauthorized File Access in npm CLI before before version 6.13.3",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2019-16776",
"STATE": "PUBLIC",
"TITLE": "Unauthorized File Access in npm CLI before before version 6.13.3"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "cli",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "\u003c 6.13.3",
"version_value": "6.13.3"
}
]
}
}
]
},
"vendor_name": "npm"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user\u0027s system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli",
"refsource": "MISC",
"url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
},
{
"name": "https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46",
"refsource": "CONFIRM",
"url": "https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "openSUSE-SU-2020:0059",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
},
{
"name": "FEDORA-2020-595ce5e3cc",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
},
{
"name": "RHEA-2020:0330",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHEA-2020:0330"
},
{
"name": "RHSA-2020:0573",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0573"
},
{
"name": "RHSA-2020:0579",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0579"
},
{
"name": "RHSA-2020:0597",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0597"
},
{
"name": "RHSA-2020:0602",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0602"
}
]
},
"source": {
"advisory": "GHSA-x8qc-rrcw-4r46",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2019-16776",
"datePublished": "2019-12-13T00:55:16",
"dateReserved": "2019-09-24T00:00:00",
"dateUpdated": "2024-08-05T01:24:48.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-15095
Vulnerability from cvelistv5
Published
2020-07-07 18:55
Modified
2024-08-04 13:08
Severity ?
EPSS score ?
Summary
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp | x_refsource_CONFIRM | |
| https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc | x_refsource_MISC | |
| https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07 | x_refsource_MISC | |
| http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html | vendor-advisory, x_refsource_SUSE | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/ | vendor-advisory, x_refsource_FEDORA | |
| https://security.gentoo.org/glsa/202101-07 | vendor-advisory, x_refsource_GENTOO |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:21.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07"
},
{
"name": "openSUSE-SU-2020:1616",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"
},
{
"name": "openSUSE-SU-2020:1644",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html"
},
{
"name": "openSUSE-SU-2020:1660",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html"
},
{
"name": "FEDORA-2020-43d5a372fc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
},
{
"name": "GLSA-202101-07",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202101-07"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cli",
"vendor": "npm",
"versions": [
{
"status": "affected",
"version": "\u003c 6.14.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like \"\u003cprotocol\u003e://[\u003cuser\u003e[:\u003cpassword\u003e]@]\u003chostname\u003e[:\u003cport\u003e][:][/]\u003cpath\u003e\". The password value is not redacted and is printed to stdout and also to any generated log files."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-11T10:06:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07"
},
{
"name": "openSUSE-SU-2020:1616",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"
},
{
"name": "openSUSE-SU-2020:1644",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html"
},
{
"name": "openSUSE-SU-2020:1660",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html"
},
{
"name": "FEDORA-2020-43d5a372fc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
},
{
"name": "GLSA-202101-07",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202101-07"
}
],
"source": {
"advisory": "GHSA-93f3-23rq-pjfp",
"discovery": "UNKNOWN"
},
"title": "Sensitive information exposure through logs in npm cli",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15095",
"STATE": "PUBLIC",
"TITLE": "Sensitive information exposure through logs in npm cli"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "cli",
"version": {
"version_data": [
{
"version_value": "\u003c 6.14.6"
}
]
}
}
]
},
"vendor_name": "npm"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like \"\u003cprotocol\u003e://[\u003cuser\u003e[:\u003cpassword\u003e]@]\u003chostname\u003e[:\u003cport\u003e][:][/]\u003cpath\u003e\". The password value is not redacted and is printed to stdout and also to any generated log files."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-532: Insertion of Sensitive Information into Log File"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp",
"refsource": "CONFIRM",
"url": "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp"
},
{
"name": "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc",
"refsource": "MISC",
"url": "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc"
},
{
"name": "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07",
"refsource": "MISC",
"url": "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07"
},
{
"name": "openSUSE-SU-2020:1616",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"
},
{
"name": "openSUSE-SU-2020:1644",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html"
},
{
"name": "openSUSE-SU-2020:1660",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html"
},
{
"name": "FEDORA-2020-43d5a372fc",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"
},
{
"name": "GLSA-202101-07",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202101-07"
}
]
},
"source": {
"advisory": "GHSA-93f3-23rq-pjfp",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15095",
"datePublished": "2020-07-07T18:55:12",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:21.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-29244
Vulnerability from cvelistv5
Published
2022-06-13 13:40
Modified
2024-08-03 06:17
Severity ?
EPSS score ?
Summary
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52 | x_refsource_MISC | |
| https://github.com/npm/npm-packlist | x_refsource_MISC | |
| https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish | x_refsource_MISC | |
| https://github.com/npm/cli/tree/latest/workspaces/libnpmpack | x_refsource_MISC | |
| https://github.com/nodejs/node/pull/43210 | x_refsource_MISC | |
| https://github.com/npm/cli/releases/tag/v8.11.0 | x_refsource_MISC | |
| https://github.com/nodejs/node/releases/tag/v16.15.1 | x_refsource_MISC | |
| https://github.com/nodejs/node/releases/tag/v17.9.1 | x_refsource_MISC | |
| https://github.com/nodejs/node/releases/tag/v18.3.0 | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20220722-0007/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:54.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/npm/npm-packlist"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/npm/cli/tree/latest/workspaces/libnpmpack"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/node/pull/43210"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/npm/cli/releases/tag/v8.11.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/node/releases/tag/v16.15.1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/node/releases/tag/v17.9.1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/node/releases/tag/v18.3.0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220722-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "npm",
"vendor": "npm",
"versions": [
{
"lessThan": "7.9.0*",
"status": "affected",
"version": "7.9.0",
"versionType": "custom"
},
{
"lessThan": "8.11.0",
"status": "affected",
"version": "8.11.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=\u003cname\u003e`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-22T18:09:17",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/npm/npm-packlist"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/npm/cli/tree/latest/workspaces/libnpmpack"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/node/pull/43210"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/npm/cli/releases/tag/v8.11.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/node/releases/tag/v16.15.1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/node/releases/tag/v17.9.1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/node/releases/tag/v18.3.0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220722-0007/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "npm packing does not respect root-level ignore files in workspaces",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29244",
"STATE": "PUBLIC",
"TITLE": "npm packing does not respect root-level ignore files in workspaces"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "npm",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "7.9.0",
"version_value": "7.9.0"
},
{
"version_affected": "\u003c",
"version_name": "8.11.0",
"version_value": "8.11.0"
}
]
}
}
]
},
"vendor_name": "npm"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=\u003cname\u003e`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52",
"refsource": "MISC",
"url": "https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52"
},
{
"name": "https://github.com/npm/npm-packlist",
"refsource": "MISC",
"url": "https://github.com/npm/npm-packlist"
},
{
"name": "https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish",
"refsource": "MISC",
"url": "https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish"
},
{
"name": "https://github.com/npm/cli/tree/latest/workspaces/libnpmpack",
"refsource": "MISC",
"url": "https://github.com/npm/cli/tree/latest/workspaces/libnpmpack"
},
{
"name": "https://github.com/nodejs/node/pull/43210",
"refsource": "MISC",
"url": "https://github.com/nodejs/node/pull/43210"
},
{
"name": "https://github.com/npm/cli/releases/tag/v8.11.0",
"refsource": "MISC",
"url": "https://github.com/npm/cli/releases/tag/v8.11.0"
},
{
"name": "https://github.com/nodejs/node/releases/tag/v16.15.1",
"refsource": "MISC",
"url": "https://github.com/nodejs/node/releases/tag/v16.15.1"
},
{
"name": "https://github.com/nodejs/node/releases/tag/v17.9.1",
"refsource": "MISC",
"url": "https://github.com/nodejs/node/releases/tag/v17.9.1"
},
{
"name": "https://github.com/nodejs/node/releases/tag/v18.3.0",
"refsource": "MISC",
"url": "https://github.com/nodejs/node/releases/tag/v18.3.0"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220722-0007/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220722-0007/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29244",
"datePublished": "2022-06-13T13:40:27",
"dateReserved": "2022-04-13T00:00:00",
"dateUpdated": "2024-08-03T06:17:54.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-16775
Vulnerability from cvelistv5
Published
2019-12-13 00:55
Modified
2024-08-05 01:24
Severity ?
EPSS score ?
Summary
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.326Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openSUSE-SU-2020:0059",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
},
{
"name": "FEDORA-2020-595ce5e3cc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
},
{
"name": "RHEA-2020:0330",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHEA-2020:0330"
},
{
"name": "RHSA-2020:0573",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0573"
},
{
"name": "RHSA-2020:0579",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0579"
},
{
"name": "RHSA-2020:0597",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0597"
},
{
"name": "RHSA-2020:0602",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0602"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cli",
"vendor": "npm",
"versions": [
{
"lessThan": "6.13.3",
"status": "affected",
"version": "\u003c 6.13.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user\u0027s system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-20T10:38:25",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "openSUSE-SU-2020:0059",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
},
{
"name": "FEDORA-2020-595ce5e3cc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
},
{
"name": "RHEA-2020:0330",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHEA-2020:0330"
},
{
"name": "RHSA-2020:0573",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0573"
},
{
"name": "RHSA-2020:0579",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0579"
},
{
"name": "RHSA-2020:0597",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0597"
},
{
"name": "RHSA-2020:0602",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0602"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
}
],
"source": {
"advisory": "GHSA-m6cx-g6qm-p2cx",
"discovery": "UNKNOWN"
},
"title": "Unauthorized File Access in npm CLI before before version 6.13.3",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2019-16775",
"STATE": "PUBLIC",
"TITLE": "Unauthorized File Access in npm CLI before before version 6.13.3"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "cli",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "\u003c 6.13.3",
"version_value": "6.13.3"
}
]
}
}
]
},
"vendor_name": "npm"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user\u0027s system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-61: UNIX Symbolic Link (Symlink) Following"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "openSUSE-SU-2020:0059",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
},
{
"name": "FEDORA-2020-595ce5e3cc",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
},
{
"name": "RHEA-2020:0330",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHEA-2020:0330"
},
{
"name": "RHSA-2020:0573",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0573"
},
{
"name": "RHSA-2020:0579",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0579"
},
{
"name": "RHSA-2020:0597",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0597"
},
{
"name": "RHSA-2020:0602",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0602"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx",
"refsource": "CONFIRM",
"url": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx"
},
{
"name": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli",
"refsource": "MISC",
"url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
}
]
},
"source": {
"advisory": "GHSA-m6cx-g6qm-p2cx",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2019-16775",
"datePublished": "2019-12-13T00:55:15",
"dateReserved": "2019-09-24T00:00:00",
"dateUpdated": "2024-08-05T01:24:48.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39135
Vulnerability from cvelistv5
Published
2021-08-31 17:10
Modified
2024-08-04 01:58
Severity ?
EPSS score ?
Summary
`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. 1. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) 2. An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.npmjs.com/package/%40npmcli/arborist | x_refsource_MISC | |
| https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2 | x_refsource_CONFIRM | |
| https://www.oracle.com/security-alerts/cpuoct2021.html | x_refsource_MISC | |
| https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:18.069Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.npmjs.com/package/%40npmcli/arborist"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "arborist",
"vendor": "npm",
"versions": [
{
"status": "affected",
"version": "\u003c 2.8.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project\u0027s `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. 1. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) 2. An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-08T14:07:30",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.npmjs.com/package/%40npmcli/arborist"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
}
],
"source": {
"advisory": "GHSA-gmw6-94gg-2rc2",
"discovery": "UNKNOWN"
},
"title": "UNIX Symbolic Link (Symlink) Following in @npmcli/arborist",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-39135",
"STATE": "PUBLIC",
"TITLE": "UNIX Symbolic Link (Symlink) Following in @npmcli/arborist"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "arborist",
"version": {
"version_data": [
{
"version_value": "\u003c 2.8.2"
}
]
}
}
]
},
"vendor_name": "npm"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project\u0027s `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. 1. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) 2. An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-61: UNIX Symbolic Link (Symlink) Following"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.npmjs.com/package/@npmcli/arborist",
"refsource": "MISC",
"url": "https://www.npmjs.com/package/@npmcli/arborist"
},
{
"name": "https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2",
"refsource": "CONFIRM",
"url": "https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
}
]
},
"source": {
"advisory": "GHSA-gmw6-94gg-2rc2",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-39135",
"datePublished": "2021-08-31T17:10:10",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-08-04T01:58:18.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-7408
Vulnerability from cvelistv5
Published
2018-02-22 18:00
Modified
2024-08-05 06:24
Severity ?
EPSS score ?
Summary
An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/npm/npm/commit/74e149da6efe6ed89477faa81fef08eee7999ad0 | x_refsource_MISC | |
| https://github.com/npm/npm/issues/19883 | x_refsource_MISC | |
| http://blog.npmjs.org/post/171169301000/v571 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:24:11.901Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/npm/npm/commit/74e149da6efe6ed89477faa81fef08eee7999ad0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/npm/npm/issues/19883"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.npmjs.org/post/171169301000/v571"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-02-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as \"next: 5.7.0\" and therefore automatically installed by an \"npm upgrade -g npm\" command, and also announced in the vendor\u0027s blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a \"correctMkdir\" issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-23T01:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/npm/npm/commit/74e149da6efe6ed89477faa81fef08eee7999ad0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/npm/npm/issues/19883"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.npmjs.org/post/171169301000/v571"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-7408",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as \"next: 5.7.0\" and therefore automatically installed by an \"npm upgrade -g npm\" command, and also announced in the vendor\u0027s blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a \"correctMkdir\" issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/npm/npm/commit/74e149da6efe6ed89477faa81fef08eee7999ad0",
"refsource": "MISC",
"url": "https://github.com/npm/npm/commit/74e149da6efe6ed89477faa81fef08eee7999ad0"
},
{
"name": "https://github.com/npm/npm/issues/19883",
"refsource": "MISC",
"url": "https://github.com/npm/npm/issues/19883"
},
{
"name": "http://blog.npmjs.org/post/171169301000/v571",
"refsource": "MISC",
"url": "http://blog.npmjs.org/post/171169301000/v571"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-7408",
"datePublished": "2018-02-22T18:00:00",
"dateReserved": "2018-02-22T00:00:00",
"dateUpdated": "2024-08-05T06:24:11.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39134
Vulnerability from cvelistv5
Published
2021-08-31 16:55
Modified
2024-08-04 01:58
Severity ?
EPSS score ?
Summary
`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in `package.json` manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multiple dependencies differ only in the case of their name, Arborist's internal data structure saw them as separate items that could coexist within the same level in the `node_modules` hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as `file:/some/path`, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem. For example, a package `pwn-a` could define a dependency in their `package.json` file such as `"foo": "file:/some/path"`. Another package, `pwn-b` could define a dependency such as `FOO: "file:foo.tgz"`. On case-insensitive file systems, if `pwn-a` was installed, and then `pwn-b` was installed afterwards, the contents of `foo.tgz` would be written to `/some/path`, and any existing contents of `/some/path` would be removed. Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc | x_refsource_CONFIRM | |
| https://www.npmjs.com/package/%40npmcli/arborist | x_refsource_MISC | |
| https://www.oracle.com/security-alerts/cpuoct2021.html | x_refsource_MISC | |
| https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:17.840Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.npmjs.com/package/%40npmcli/arborist"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "arborist",
"vendor": "npm",
"versions": [
{
"status": "affected",
"version": "\u003c 2.8.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in `package.json` manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multiple dependencies differ only in the case of their name, Arborist\u0027s internal data structure saw them as separate items that could coexist within the same level in the `node_modules` hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as `file:/some/path`, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem. For example, a package `pwn-a` could define a dependency in their `package.json` file such as `\"foo\": \"file:/some/path\"`. Another package, `pwn-b` could define a dependency such as `FOO: \"file:foo.tgz\"`. On case-insensitive file systems, if `pwn-a` was installed, and then `pwn-b` was installed afterwards, the contents of `foo.tgz` would be written to `/some/path`, and any existing contents of `/some/path` would be removed. Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-08T14:07:47",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.npmjs.com/package/%40npmcli/arborist"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
}
],
"source": {
"advisory": "GHSA-2h3h-q99f-3fhc",
"discovery": "UNKNOWN"
},
"title": "UNIX Symbolic Link (Symlink) Following in @npmcli/arborist",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-39134",
"STATE": "PUBLIC",
"TITLE": "UNIX Symbolic Link (Symlink) Following in @npmcli/arborist"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "arborist",
"version": {
"version_data": [
{
"version_value": "\u003c 2.8.2"
}
]
}
}
]
},
"vendor_name": "npm"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in `package.json` manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multiple dependencies differ only in the case of their name, Arborist\u0027s internal data structure saw them as separate items that could coexist within the same level in the `node_modules` hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as `file:/some/path`, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem. For example, a package `pwn-a` could define a dependency in their `package.json` file such as `\"foo\": \"file:/some/path\"`. Another package, `pwn-b` could define a dependency such as `FOO: \"file:foo.tgz\"`. On case-insensitive file systems, if `pwn-a` was installed, and then `pwn-b` was installed afterwards, the contents of `foo.tgz` would be written to `/some/path`, and any existing contents of `/some/path` would be removed. Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-61: UNIX Symbolic Link (Symlink) Following"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc",
"refsource": "CONFIRM",
"url": "https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc"
},
{
"name": "https://www.npmjs.com/package/@npmcli/arborist",
"refsource": "MISC",
"url": "https://www.npmjs.com/package/@npmcli/arborist"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
}
]
},
"source": {
"advisory": "GHSA-2h3h-q99f-3fhc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-39134",
"datePublished": "2021-08-31T16:55:11",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-08-04T01:58:17.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-16777
Vulnerability from cvelistv5
Published
2019-12-13 01:00
Modified
2024-08-05 01:24
Severity ?
EPSS score ?
Summary
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:47.252Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "openSUSE-SU-2020:0059",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
},
{
"name": "FEDORA-2020-595ce5e3cc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
},
{
"name": "RHEA-2020:0330",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHEA-2020:0330"
},
{
"name": "RHSA-2020:0573",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0573"
},
{
"name": "RHSA-2020:0579",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0579"
},
{
"name": "RHSA-2020:0597",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0597"
},
{
"name": "RHSA-2020:0602",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0602"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cli",
"vendor": "npm",
"versions": [
{
"lessThan": "6.13.4",
"status": "affected",
"version": "\u003c 6.13.4",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T20:06:15",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "openSUSE-SU-2020:0059",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
},
{
"name": "FEDORA-2020-595ce5e3cc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
},
{
"name": "RHEA-2020:0330",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHEA-2020:0330"
},
{
"name": "RHSA-2020:0573",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0573"
},
{
"name": "RHSA-2020:0579",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0579"
},
{
"name": "RHSA-2020:0597",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0597"
},
{
"name": "RHSA-2020:0602",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0602"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"source": {
"advisory": "GHSA-4328-8hgf-7wjr",
"discovery": "UNKNOWN"
},
"title": "Arbitrary File Overwrite in npm CLI",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2019-16777",
"STATE": "PUBLIC",
"TITLE": "Arbitrary File Overwrite in npm CLI"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "cli",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "\u003c 6.13.4",
"version_value": "6.13.4"
}
]
}
}
]
},
"vendor_name": "npm"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli",
"refsource": "MISC",
"url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
},
{
"name": "https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr",
"refsource": "CONFIRM",
"url": "https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "openSUSE-SU-2020:0059",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
},
{
"name": "FEDORA-2020-595ce5e3cc",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"
},
{
"name": "RHEA-2020:0330",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHEA-2020:0330"
},
{
"name": "RHSA-2020:0573",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0573"
},
{
"name": "RHSA-2020:0579",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0579"
},
{
"name": "RHSA-2020:0597",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0597"
},
{
"name": "RHSA-2020:0602",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0602"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
},
"source": {
"advisory": "GHSA-4328-8hgf-7wjr",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2019-16777",
"datePublished": "2019-12-13T01:00:21",
"dateReserved": "2019-09-24T00:00:00",
"dateUpdated": "2024-08-05T01:24:47.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-3956
Vulnerability from cvelistv5
Published
2016-07-02 14:00
Modified
2024-08-06 00:10
Severity ?
EPSS score ?
Summary
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/npm/npm/issues/8380 | x_refsource_CONFIRM | |
| https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29 | x_refsource_CONFIRM | |
| http://www-01.ibm.com/support/docview.wss?uid=swg21980827 | x_refsource_CONFIRM | |
| https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401 | x_refsource_CONFIRM | |
| http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability | x_refsource_CONFIRM | |
| https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:10:31.975Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/npm/npm/issues/8380"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21980827"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-07-02T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/npm/npm/issues/8380"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21980827"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-3956",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/npm/npm/issues/8380",
"refsource": "CONFIRM",
"url": "https://github.com/npm/npm/issues/8380"
},
{
"name": "https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29",
"refsource": "CONFIRM",
"url": "https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21980827",
"refsource": "CONFIRM",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21980827"
},
{
"name": "https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401",
"refsource": "CONFIRM",
"url": "https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401"
},
{
"name": "http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability",
"refsource": "CONFIRM",
"url": "http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability"
},
{
"name": "https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-3956",
"datePublished": "2016-07-02T14:00:00",
"dateReserved": "2016-04-05T00:00:00",
"dateUpdated": "2024-08-06T00:10:31.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}