GitHub Advisory DatabaseGHSA-V3JV-WRF4-5845Local Privilege Escalation in npm
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:P/A:P
EPSS
Percentile
5.1%
Affected versions of npm use predictable temporary file names during archive unpacking. If an attacker can create a symbolic link at the location of one of these temporary file names, the attacker can arbitrarily write to any file that the user which owns the npm process has permission to write to, potentially resulting in local privilege escalation.
Recommendation
Update to version 1.3.3 or later.
Affected configurations
References
www.openwall.com/lists/oss-security/2013/07/10/17
www.openwall.com/lists/oss-security/2013/07/11/9
www.securityfocus.com/bid/61083
bugs.debian.org/cgi-bin/bugreport.cgi?bug=715325
bugzilla.redhat.com/show_bug.cgi?id=983917
exchange.xforce.ibmcloud.com/vulnerabilities/87141
github.com/advisories/GHSA-v3jv-wrf4-5845
github.com/npm/npm/commit/f4d31693
github.com/npm/npm/issues/3635
nvd.nist.gov/vuln/detail/CVE-2013-4116
www.npmjs.com/advisories/152
Related
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:P/A:P
EPSS
Percentile
5.1%