CVE-2019-16775

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:oracle:graalvm:19.3.0.2:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:21.2.2:*:*:*:enterprise:*:*:*

Configuration 5 (hide)

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

History

02 Aug 2022, 20:45

Type Values Removed Values Added
CPE cpe:2.3:a:cli_project:cli:*:*:*:*:*:node.js:*:* cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*

22 Apr 2022, 19:36

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:graalvm:21.2.2:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*
References (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Third Party Advisory

20 Oct 2021, 11:15

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -
CWE CWE-59 CWE-61

Information

Published : 2019-12-13 01:15

Updated : 2024-02-04 20:39


NVD link : CVE-2019-16775

Mitre link : CVE-2019-16775

CVE.ORG link : CVE-2019-16775


JSON object : View

Products Affected

npmjs

  • npm

fedoraproject

  • fedora

opensuse

  • leap

oracle

  • graalvm

redhat

  • enterprise_linux
  • enterprise_linux_eus
CWE
CWE-61

UNIX Symbolic Link (Symlink) Following

CWE-59

Improper Link Resolution Before File Access ('Link Following')