CVE-2013-4116

medium

Description

lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

References

Advisories

https://github.com/npm/npm/issues/3635

https://github.com/npm/npm/commit/f4d31693

https://exchange.xforce.ibmcloud.com/vulnerabilities/87141

https://bugzilla.redhat.com/show_bug.cgi?id=983917

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=715325

http://www.securityfocus.com/bid/61083

http://www.openwall.com/lists/oss-security/2013/07/11/9

http://www.openwall.com/lists/oss-security/2013/07/10/17

Details

Source: Mitre, NVD

Published: 2014-04-22

Updated: 2025-04-12

Risk Information

CVSS v2

Base Score: 3.3

Vector: CVSS2#AV:L/AC:M/Au:N/C:N/I:P/A:P

Severity: Low

CVSS v3

Base Score: 4.4

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Severity: Medium

EPSS

EPSS: 0.0006

Detections

Analytics