GitHub Advisory DatabaseGHSA-P6MR-PXG4-68HXSymlink Arbitrary File Overwrite in bower
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.003 Low
EPSS
Percentile
65.4%
Versions of bower prior to 1.8.8 are affected by an arbitrary file write vulnerability. The vulnerability occurs because bower does not verify that extracted symbolic links do not resolve to targets outside of the extraction root directory.
Recommendation
Update to version 1.8.8 or later
Affected configurations
References
github.com/advisories/GHSA-p6mr-pxg4-68hx
github.com/bower/bower/commit/45c6bfa86f6e57731b153baca9e0b41a1cc699e3
github.com/nodejs/security-wg/blob/master/vuln/npm/487.json
hackerone.com/reports/473811
lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E
lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2019-5484
snyk.io/blog/severe-security-vulnerability-in-bowers-zip-archive-extraction
www.npmjs.com/advisories/776
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.003 Low
EPSS
Percentile
65.4%