CVE-2019-16775

MEDIUM

Description

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

References

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html

https://access.redhat.com/errata/RHEA-2020:0330

https://access.redhat.com/errata/RHSA-2020:0573

https://access.redhat.com/errata/RHSA-2020:0579

https://access.redhat.com/errata/RHSA-2020:0597

https://access.redhat.com/errata/RHSA-2020:0602

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx

https://lists.fedoraproject.org/archives/list/[email protected]/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/

https://www.oracle.com/security-alerts/cpujan2020.html

Details

Source: MITRE

Published: 2019-12-13

Updated: 2020-10-07

Type: CWE-59

Risk Information

CVSS v2.0

Base Score: 4

Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8

Severity: MEDIUM

CVSS v3.0

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Impact Score: 3.6

Exploitability Score: 2.8

Severity: MEDIUM