Lucene search

[email protected]CVE-2019-16777

HistoryDec 13, 2019 - 1:15 a.m.

CVE-2019-16777

2019-12-1301:15:11

CWE-22

CWE-269

[email protected]

web.nvd.nist.gov

306

npm

cli

vulnerability

arbitrary file overwrite

package installations

global install

serve binary

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

AI Score

6.6

Confidence

High

EPSS

0.002

Percentile

56.5%

JSON

Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Affected configurations

Vulners

NVD

Node

npmcliRange<6.13.4

CNA Affected

[
  {
    "product": "cli",
    "vendor": "npm",
    "versions": [
      {
        "lessThan": "6.13.4",
        "status": "affected",
        "version": "< 6.13.4",
        "versionType": "custom"
      }
    ]
  }
]