Lucene search

[email protected]CVE-2019-16776

HistoryDec 13, 2019 - 1:15 a.m.

CVE-2019-16776

2019-12-1301:15:00

CWE-22

[email protected]

web.nvd.nist.gov

144

npm

cli

vulnerability

arbitrary file write

cve-2019-16776

nvd

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

7.9 High

AI Score

Confidence

High

5.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

43.5%

JSON

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

CPENameOperatorVersion
npmjs:npmnpmjs npmlt6.13.3
opensuse:leapopensuse leapeq15.1
oracle:graalvmoracle graalvmeq19.3.0.2
fedoraproject:fedorafedoraproject fedoraeq31
redhat:enterprise_linuxredhat enterprise linuxeq8.0
redhat:enterprise_linux_eusredhat enterprise linux euseq8.1

CPE	Name	Operator	Version
npmjs:npm	npmjs npm	lt	6.13.3
opensuse:leap	opensuse leap	eq	15.1
oracle:graalvm	oracle graalvm	eq	19.3.0.2
fedoraproject:fedora	fedoraproject fedora	eq	31
redhat:enterprise_linux	redhat enterprise linux	eq	8.0
redhat:enterprise_linux_eus	redhat enterprise linux eus	eq	8.1