Lucene search

K

GoogleOSV:GHSA-V3JV-WRF4-5845

HistorySep 01, 2020 - 4:03 p.m.

Local Privilege Escalation in npm

2020-09-0116:03:34

Google

osv.dev

10

EPSS

0

Percentile

5.1%

Affected versions of npm use predictable temporary file names during archive unpacking. If an attacker can create a symbolic link at the location of one of these temporary file names, the attacker can arbitrarily write to any file that the user which owns the npm process has permission to write to, potentially resulting in local privilege escalation.

Recommendation

Update to version 1.3.3 or later.

References

www.openwall.com/lists/oss-security/2013/07/10/17

www.openwall.com/lists/oss-security/2013/07/11/9

www.securityfocus.com/bid/61083

bugs.debian.org/cgi-bin/bugreport.cgi?bug=715325

bugzilla.redhat.com/show_bug.cgi?id=983917

exchange.xforce.ibmcloud.com/vulnerabilities/87141

github.com/npm/npm

github.com/npm/npm/commit/f4d31693

github.com/npm/npm/issues/3635

nvd.nist.gov/vuln/detail/CVE-2013-4116

www.npmjs.com/advisories/152

EPSS

0

Percentile

5.1%

Related for OSV:GHSA-V3JV-WRF4-5845

openvas118 fedora59 nvd1 nessus2 debiancve1 cvelist1 nodejs1 prion1 ubuntucve1 github1 cve1