CVE-2019-16776

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

References

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html

https://access.redhat.com/errata/RHEA-2020:0330

https://access.redhat.com/errata/RHSA-2020:0573

https://access.redhat.com/errata/RHSA-2020:0579

https://access.redhat.com/errata/RHSA-2020:0597

https://access.redhat.com/errata/RHSA-2020:0602

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46

https://lists.fedoraproject.org/archives/list/[email protected]/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/

https://www.oracle.com/security-alerts/cpujan2020.html

Details

Source: MITRE

Published: 2019-12-13

Updated: 2020-10-07

Type: CWE-22

Risk Information

CVSS v2

Base Score: 5.5

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 8

Severity: MEDIUM

CVSS v3

Base Score: 8.1

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Impact Score: 5.2

Exploitability Score: 2.8

Severity: HIGH

Tenable Plugins

View all (12 total)

IDNameProductFamilySeverity
145979CentOS 8 : nodejs:10 (CESA-2020:0579)NessusCentOS Local Security Checks
critical
140035Oracle Linux 8 : nodejs:10 (ELSA-2020-0579)NessusOracle Linux Local Security Checks
critical
137343FreeBSD : NPM -- Multiple vulnerabilities (2a3588b4-ab12-11ea-a051-001b217b3468)NessusFreeBSD Local Security Checks
medium
134062RHEL 8 : nodejs:10 (RHSA-2020:0579)NessusRed Hat Local Security Checks
critical
134028RHEL 8 : nodejs:10 (RHSA-2020:0573)NessusRed Hat Local Security Checks
critical
133947SUSE SLES12 Security Update : nodejs12 (SUSE-SU-2020:0429-1)NessusSuSE Local Security Checks
critical
133348SUSE SLES12 Security Update : nodejs6 (SUSE-SU-2020:0247-1)NessusSuSE Local Security Checks
medium
133233Fedora 31 : 1:libuv / 1:nodejs (2020-595ce5e3cc)NessusFedora Local Security Checks
medium
132952SUSE SLES15 Security Update : nodejs10 (SUSE-SU-2020:0104-1)NessusSuSE Local Security Checks
medium
132920openSUSE Security Update : nodejs8 (openSUSE-2020-59)NessusSuSE Local Security Checks
medium
132850SUSE SLES12 Security Update : nodejs10 (SUSE-SU-2020:0063-1)NessusSuSE Local Security Checks
medium
132744SUSE SLES15 Security Update : nodejs8 (SUSE-SU-2020:0043-1)NessusSuSE Local Security Checks
medium