CVE-2019-16776
HIGH
7,7
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: low
User Interaction: required
Scope: changed
Confidentiality: high
Integrity: high
Availability: none
MEDIUM
5,5
Source: [email protected]
Access Vector: network
Access Complexity: low
Authentication: single
Confidentiality: partial
Integrity: partial
Availability: none
Description
AI Translation Available
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
EPSS (Exploit Prediction Scoring System)
Trend Analysis
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score
0,0035
Percentile
0,6th
Updated
EPSS Score Trend (Last 91 Days)
22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
StableCommon Consequences
Security Scopes Affected:
Integrity
Confidentiality
Availability
Potential Impacts:
Execute Unauthorized Code Or Commands
Modify Files Or Directories
Read Files Or Directories
Dos: Crash, Exit, Or Restart
Applicable Platforms
Technologies:
AI/ML
Application
Graalvm by Oracle
CPE Identifier
View Detailed Analysis
cpe:2.3:a:oracle:graalvm:19.3.0.2:*:*:*:enterprise:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Fedora by Fedoraproject
CPE Identifier
View Detailed Analysis
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Eus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Npm by Npmjs
Version Range Affected
To
6.13.3
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Leap by Opensuse
CPE Identifier
View Detailed Analysis
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html
https://access.redhat.com/errata/RHEA-2020:0330
https://access.redhat.com/errata/RHSA-2020:0573
https://access.redhat.com/errata/RHSA-2020:0579
https://access.redhat.com/errata/RHSA-2020:0597
https://access.redhat.com/errata/RHSA-2020:0602
https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…
https://www.oracle.com/security-alerts/cpujan2020.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html
https://access.redhat.com/errata/RHEA-2020:0330
https://access.redhat.com/errata/RHSA-2020:0573
https://access.redhat.com/errata/RHSA-2020:0579
https://access.redhat.com/errata/RHSA-2020:0597
https://access.redhat.com/errata/RHSA-2020:0602
https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…
https://www.oracle.com/security-alerts/cpujan2020.html