CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
90.2%
DISPUTED The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds
with an installation even if dependency information in package-lock.json
differs from package.json. This behavior is inconsistent with the
documentation, and makes it easier for attackers to install malware that
was supposed to have been blocked by an exact version match requirement in
package-lock.json. NOTE: The npm team believes this is not a vulnerability.
It would require someone to socially engineer package.json which has
different dependencies than package-lock.json. That user would have to have
file system or write access to change dependencies. The npm team states
preventing malicious actors from socially engineering or gaining file
system access is outside the scope of the npm CLI.
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
90.2%