npm CLI CVE-2019-16776 Arbitrary File Write Vulnerability

2019-12-1100:00:00

Symantec Security Response

www.symantec.com

JSON

Description

npm CLI is prone to an arbitrary file-write vulnerability. Successful exploits may allow an attacker to gain access or perform unauthorized actions on arbitrary files on the affected system. Versions prior to npm 6.13.3 are vulnerable.

Technologies Affected

Oracle GraalVM Enterprise Edition 19.3.0.2
npm npm 6.0.0
npm npm 6.10.0
npm npm 6.11.0
npm npm 6.12.0
npm npm 6.13.0
npm npm 6.13.2
npm npm 6.7.0
npm npm 6.8.0
npm npm 6.9.0

Recommendations

Run all software as a nonprivileged user with minimal access rights.
To reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.

Updates are available. Please see the references or vendor advisory for more information.

CPENameOperatorVersion
npm npmeq6.9.0
npm npmeq6.13.0
npm npmeq6.13.2
npm npmeq6.12.0
oracle graalvm enterprise editioneq19.3.0.2
npm npmeq6.11.0
npm npmeq6.7.0
npm npmeq6.0.0
npm npmeq6.10.0
npm npmeq6.8.0

Name	Operator	Version
npm npm	eq	6.9.0
npm npm	eq	6.13.0
npm npm	eq	6.13.2
npm npm	eq	6.12.0
oracle graalvm enterprise edition	eq	19.3.0.2
npm npm	eq	6.11.0
npm npm	eq	6.7.0
npm npm	eq	6.0.0
npm npm	eq	6.10.0
npm npm	eq	6.8.0