CVE-2019-16775

CVSS v3.1

7.7

High

Vector

AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions: npm CLI versions prior to 6.13.3

Description: The issue is related to errors in link handling in the npm and Yarn package managers. Exploitation of this issue may allow a remote attacker to write arbitrary files by creating a symbolic link to files outside the node modules directory or by manipulating the bin field in package.json. This can occur when a package is installed, and a properly constructed entry in the package.json bin field can create a symlink pointing to arbitrary files on a user's system. The vulnerability can bypass the --ignore-scripts install option and is still possible through install scripts. It can only affect files that the user running npm install has access to and cannot overwrite existing files on disk.

Recommendations: Upgrade to version 6.13.3 or later. As a temporary workaround, consider restricting the use of the bin field in package.json to minimize the risk of exploitation. Avoid using install scripts until the issue is resolved.

Fix

Link Following

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-61CWE-59CWE-20

Related Identifiers

ALEA-2020:0330

ALSA-2020:0579

ALT-PU-2019-3385

ALT-PU-2020-2196

BDU:2019-04691

CESA-2020_0579

CVE-2019-16775

GHSA-M6CX-G6QM-P2CX

MGASA-2020-0372

OPENSUSE-SU-2020:0059-1

OPENSUSE-SU-2020_0059-1

RHSA-2020:0573

RHSA-2020:0579

RHSA-2020:0597

RHSA-2020:0602

RHSA-2020:2625

RHSA-2020_0579

RLSA-2020:0579

SUSE-SU-2020:0043-1

SUSE-SU-2020:0063-1

SUSE-SU-2020:0104-1

SUSE-SU-2020:0247-1

SUSE-SU-2020:0429-1

SUSE-SU-2020_0043-1

SUSE-SU-2020_0063-1

SUSE-SU-2020_0104-1

SUSE-SU-2020_0247-1

Affected Products

Alt Linux

Almalinux

Centos

Red Hat

Rocky Linux

Suse

Npm

CVE-2019-16775

Weakness Enumeration

Related Identifiers

Affected Products

References · 82