QwikSec

Security Database

CVE

CWE

Training

CVE-2019-16776

Published: Dec 13, 2019

Modified: Aug 5, 2024

PUBLISHED

CVSS v3.1

7.7

HIGH

Description

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Vendor	Product	Versions
npm	cli	affected `< 6.13.3 - < 6.13.3`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

References

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

x_refsource_MISC

https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46

x_refsource_CONFIRM

https://www.oracle.com/security-alerts/cpujan2020.html

x_refsource_MISC

openSUSE-SU-2020:0059

vendor-advisory

x_refsource_SUSE

FEDORA-2020-595ce5e3cc

vendor-advisory

x_refsource_FEDORA

vendor-advisory

x_refsource_REDHAT

vendor-advisory

x_refsource_REDHAT

vendor-advisory

x_refsource_REDHAT

vendor-advisory

x_refsource_REDHAT

vendor-advisory

x_refsource_REDHAT

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.