CVE-2019-16775

medium

Description

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

References

Advisories

https://www.oracle.com/security-alerts/cpuoct2021.html

https://www.oracle.com/security-alerts/cpujan2020.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/

https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

https://access.redhat.com/errata/RHSA-2020:0602

https://access.redhat.com/errata/RHSA-2020:0597

https://access.redhat.com/errata/RHSA-2020:0579

https://access.redhat.com/errata/RHSA-2020:0573

https://access.redhat.com/errata/RHEA-2020:0330

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html

Details

Source: Mitre, NVD

Published: 2019-12-13

Updated: 2023-11-07

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Severity: Medium

EPSS

EPSS: 0.00392