PT-2019-1104 · Npm+6 · Npm Cli+6

Publicado

2019-12-11

·

Atualizado

2022-08-02

·

CVE-2019-16777

CVSS v3.1

7.7

Alta

VetorAV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions: npm CLI versions prior to 6.13.4
Description: The issue allows for an Arbitrary File Overwrite due to the failure to prevent existing globally-installed binaries from being overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. The vulnerability can be exploited remotely and may allow an attacker to overwrite arbitrary files in the context of the target directory. It bypasses a user using the --ignore-scripts install option.
Recommendations: Upgrade to version 6.13.4 or later. As a temporary workaround, consider restricting the use of globally-installed binaries to minimize the risk of exploitation. Avoid using the serve binary in the affected API endpoints until the issue is resolved.

Correção

Improper Privilege Management

RCE

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-269CWE-20CWE-22

Identificadores relacionados

ALEA-2020:0330
ALSA-2020:0579
ALT-PU-2019-3385
ALT-PU-2020-2196
BDU:2019-04689
CESA-2020_0579
CVE-2019-16777
GHSA-4328-8HGF-7WJR
MGASA-2020-0372
OPENSUSE-SU-2020:0059-1
OPENSUSE-SU-2020_0059-1
RHSA-2020:0573
RHSA-2020:0579
RHSA-2020:0597
RHSA-2020:0602
RHSA-2020:2625
RHSA-2020_0579
RLSA-2020:0579
SUSE-SU-2020:0043-1
SUSE-SU-2020:0063-1
SUSE-SU-2020:0104-1
SUSE-SU-2020:0247-1
SUSE-SU-2020:0429-1

Produtos afetados

Alt Linux
Almalinux
Centos
Red Hat
Rocky Linux
Suse
Npm Cli