PT-2019-1104 · Npm+6 · Npm Cli+6

Published

2019-12-11

·

Updated

2022-08-02

·

CVE-2019-16777

CVSS v3.1

7.7

High

VectorAV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions: npm CLI versions prior to 6.13.4
Description: The issue allows for an Arbitrary File Overwrite due to the failure to prevent existing globally-installed binaries from being overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. The vulnerability can be exploited remotely and may allow an attacker to overwrite arbitrary files in the context of the target directory. It bypasses a user using the --ignore-scripts install option.
Recommendations: Upgrade to version 6.13.4 or later. As a temporary workaround, consider restricting the use of globally-installed binaries to minimize the risk of exploitation. Avoid using the serve binary in the affected API endpoints until the issue is resolved.

Fix

Improper Privilege Management

RCE

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-269CWE-20CWE-22

Related Identifiers

ALEA-2020:0330
ALSA-2020:0579
ALT-PU-2019-3385
ALT-PU-2020-2196
BDU:2019-04689
CESA-2020_0579
CVE-2019-16777
GHSA-4328-8HGF-7WJR
MGASA-2020-0372
OPENSUSE-SU-2020:0059-1
OPENSUSE-SU-2020_0059-1
RHSA-2020:0573
RHSA-2020:0579
RHSA-2020:0597
RHSA-2020:0602
RHSA-2020:2625
RHSA-2020_0579
RLSA-2020:0579
SUSE-SU-2020:0043-1
SUSE-SU-2020:0063-1
SUSE-SU-2020:0104-1
SUSE-SU-2020:0247-1
SUSE-SU-2020:0429-1

Affected Products

Alt Linux
Almalinux
Centos
Red Hat
Rocky Linux
Suse
Npm Cli