Alpine: multiple npm packages: security update to 8.1.4-r0

critical Tenable Cloud Security Plugin ID 405871

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency
information in package-lock.json differs from package.json. This behavior is inconsistent with the
documentation, and makes it easier for attackers to install malware that was supposed to have been blocked
by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a
vulnerability. It would require someone to socially engineer package.json which has different dependencies
than package-lock.json. That user would have to have file system or write access to change dependencies.
The npm team states preventing malicious actors from socially engineering or gaining file system access is
outside the scope of the npm CLI. (CVE-2021-43616)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-43616

Plugin Details

Severity: Critical

ID: 405871

Version: Revision 1.31

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.49

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-43616

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 11/13/2021

Reference Information

CVE: CVE-2021-43616