Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nodejsAnonymousNODEJS:1783
HistoryAug 31, 2021 - 4:14 p.m.

UNIX Symbolic Link (Symlink) Following

2021-08-3116:14:40
Anonymous
www.npmjs.com
21
JSON

Overview

Impact

Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution

@npmcli/arborist, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder.

This is accomplished by extracting package contents into a projectโ€™s node_modules folder.

If the node_modules folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system.

Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a node_modules symbolic link would have to be employed.

  1. A preinstall script could replace node_modules with a symlink. (This is prevented by using --ignore-scripts.)
  2. An attacker could supply the target with a git repository, instructing them to run npm install --ignore-scripts in the root. This may be successful, because npm install --ignore-scripts is typically not capable of making changes outside of the project directory, so it may be deemed safe.

Patches

2.8.2 (included in npm v7.20.7 and above)

Workarounds

Do not run npm install on untrusted codebases, without first ensuring that the node_modules directory in the project is not a symbolic link.

Fix

Prior to extracting any package contents, the node_modules folder into which it is extracted is verified to be a real directory. If it is not, then it is removed.

Caveat: if you are currently relying on creating a symbolic link to the node_modules folder in order to share dependencies between projects, then that will no longer be possible. Please use the npm link command, explicit file:... dependencies, and/or workspaces to share dependencies in a development environment.

Recommendation

Upgrade to version 2.8.2 or later

References

CPENameOperatorVersion
@npmcli/arboristlt2.8.2

Related

prion 1
veracode 1
osv 2
github 2
alpinelinux 1
debiancve 1
redhatcve 1
ibm 8
cve 1
ubuntucve 1
nessus 9
suse 4
openvas 9
nodejsblog 1
freebsd 1
altlinux 1
mageia 1
ics 1
oracle 1
prion
prion
Design/Logic Flaw
2021-08-31 17:15:00
veracode
veracode
Remote Code Execution (RCE)
2021-09-01 02:58:46
osv
osv
CVE-2021-39135
2021-08-31 17:15:08
UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
2021-08-31 16:03:34
github
github
UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
2021-08-31 16:03:34
GitHub security update: Vulnerabilities in tar and @npmcli/arborist
2021-09-08 16:00:32
alpinelinux
alpinelinux
CVE-2021-39135
2021-08-31 17:15:00
debiancve
debiancve
CVE-2021-39135
2021-08-31 17:15:00
redhatcve
redhatcve
CVE-2021-39135
2021-12-06 14:11:24
ibm
ibm
Security Bulletin: Security Vulnerabilities affect IBM Cloud Private - Node.js (CVE-2021-39135)
2022-04-22 19:30:42
Security Bulletin: Multiple vulnerabilities affect IBM Rationalยฎ Application Developer for WebSphereยฎ Software - September 2021
2021-11-16 19:42:27
Security Bulletin: IBM App Connect Enterprise Certified Container Integration Servers may be vulnerable to a symlink attack due to CVE-2021-39135
2021-10-07 10:31:01
cve
cve
CVE-2021-39135
2021-08-31 17:15:00
ubuntucve
ubuntucve
CVE-2021-39135
2021-08-31 00:00:00
nessus
nessus
Node.js Multiple Vulnerabilities (August 31st 2021 Security Releases)
2021-10-19 00:00:00
SUSE SLES15 Security Update : nodejs14 (SUSE-SU-2021:3964-1)
2021-12-08 00:00:00
openSUSE 15 Security Update : nodejs12 (openSUSE-SU-2021:1574-1)
2021-12-17 00:00:00
suse
suse
Security update for nodejs14 (important)
2021-12-10 00:00:00
Security update for nodejs12 (important)
2021-12-06 00:00:00
Security update for nodejs12 (important)
2021-12-12 00:00:00
openvas
openvas
openSUSE: Security Advisory for nodejs14 (openSUSE-SU-2021:3964-1)
2021-12-08 00:00:00
SUSE: Security Advisory (SUSE-SU-2021:3964-1)
2021-12-07 00:00:00
openSUSE: Security Advisory for nodejs12 (openSUSE-SU-2021:3940-1)
2021-12-07 00:00:00
nodejsblog
nodejsblog
August 31 2021 Security Releases
2021-08-31 00:00:00
freebsd
freebsd
Node.js -- August 2021 Security Releases (2)
2021-08-31 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package node version 14.17.6-alt1
2021-09-01 00:00:00
mageia
mageia
Updated nodejs packages fix security vulnerability
2021-10-06 22:41:56
ics
ics
Siemens SINEC INS
2022-03-10 12:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - October 2021
2021-10-19 00:00:00
JSON
Related for NODEJS:1783
prion1veracode1osv2github2alpinelinux1debiancve1redhatcve1ibm8cve1ubuntucve1nessus9suse4openvas9nodejsblog1freebsd1altlinux1mageia1ics1oracle1