GoogleOSV:GHSA-P6MR-PXG4-68HXSymlink Arbitrary File Overwrite in bower
0.003 Low
EPSS
Percentile
65.4%
Versions of bower prior to 1.8.8 are affected by an arbitrary file write vulnerability. The vulnerability occurs because bower does not verify that extracted symbolic links do not resolve to targets outside of the extraction root directory.
Recommendation
Update to version 1.8.8 or later
References
github.com/bower/bower/commit/45c6bfa86f6e57731b153baca9e0b41a1cc699e3
github.com/nodejs/security-wg/blob/master/vuln/npm/487.json
hackerone.com/reports/473811
lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E
lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2019-5484
snyk.io/blog/severe-security-vulnerability-in-bowers-zip-archive-extraction
www.npmjs.com/advisories/776
Related
