CVE-2019-16776

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Configurations

Configuration 1 (hide)

cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:oracle:graalvm:19.3.0.2:*:*:*:enterprise:*:*:*

Configuration 4 (hide)

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

Configuration 5 (hide)

OR cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*

History

02 Aug 2022, 20:45

Type Values Removed Values Added
CPE cpe:2.3:a:cli_project:cli:*:*:*:*:*:node.js:*:* cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*

Information

Published : 2019-12-13 01:15

Updated : 2024-02-04 20:39


NVD link : CVE-2019-16776

Mitre link : CVE-2019-16776

CVE.ORG link : CVE-2019-16776


JSON object : View

Products Affected

npmjs

  • npm

opensuse

  • leap

redhat

  • enterprise_linux_eus
  • enterprise_linux

oracle

  • graalvm

fedoraproject

  • fedora
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')