CVE-2019-16775

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:oracle:graalvm:19.3.0.2:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:21.2.2:*:*:*:enterprise:*:*:*

Configuration 5 (hide)

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

History

07 Nov 2023, 03:05

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/', 'name': 'FEDORA-2020-595ce5e3cc', 'tags': ['Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/ -

Information

Published : 2019-12-13 01:15

Updated : 2024-02-28 17:28


NVD link : CVE-2019-16775

Mitre link : CVE-2019-16775

CVE.ORG link : CVE-2019-16775


JSON object : View

Products Affected

opensuse

  • leap

npmjs

  • npm

redhat

  • enterprise_linux
  • enterprise_linux_eus

fedoraproject

  • fedora

oracle

  • graalvm
CWE
CWE-61

UNIX Symbolic Link (Symlink) Following

CWE-59

Improper Link Resolution Before File Access ('Link Following')