Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4
CVSSv2

CVE-2019-16775

Published: 13/12/2019 Updated: 07/11/2023
CVSS v2 Base Score: 4 | Impact Score: 2.9 | Exploitability Score: 8
CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8
VMScore: 356
Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N
Subscribe to Enterprise Linux

Vulnerability Summary

Versions of the npm CLI before 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

redhat enterprise linux 8.0

redhat enterprise linux eus 8.1

npmjs npm

opensuse leap 15.1

oracle graalvm 19.3.0.2

oracle graalvm 20.3.3

oracle graalvm 21.2.2

fedoraproject fedora 31

Vendor Advisories

Debian CVElist Bug Report Logs: npm: CVE-2019-16775 CVE-2019-16776 CVE-2019-16777
Debian Bug report logs - #947127 npm: CVE-2019-16775 CVE-2019-16776 CVE-2019-16777 Package: src:npm; Maintainer for src:npm is Debian Javascript Maintainers <pkg-javascript-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 21 Dec 2019 16:27:02 UTC Severity: important Tag ...
Red Hat: Important: nodejs:10 security update
Synopsis Important: nodejs:10 security update Type/Severity Security Advisory: Important Topic An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 80 Update Services for SAP SolutionsRed Hat Product Security has rated this update as having a security impact of Important A Com ...
Red Hat: Moderate: rh-nodejs8-nodejs security update
Synopsis Moderate: rh-nodejs8-nodejs security update Type/Severity Security Advisory: Moderate Topic An update for rh-nodejs8-nodejs is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System ...
Red Hat: Important: rh-nodejs12-nodejs security update
Synopsis Important: rh-nodejs12-nodejs security update Type/Severity Security Advisory: Important Topic An update for rh-nodejs12-nodejs is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring S ...
Red Hat: Important: rh-nodejs10-nodejs security update
Synopsis Important: rh-nodejs10-nodejs security update Type/Severity Security Advisory: Important Topic An update for rh-nodejs10-nodejs is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring S ...
Red Hat: Important: nodejs:10 security update
Synopsis Important: nodejs:10 security update Type/Severity Security Advisory: Important Topic An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CV ...
Arch Linux Issues:
Versions of the npm CLI prior to 6133 are vulnerable to an Arbitrary File Write It is possible for packages to create symlinks to files outside of the node_modules folder through the bin field upon installation A properly constructed entry in the packagejson bin field would allow a package publisher to create a symlink pointing to arbitrary fi ...

References

CWE-61https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-clihttps://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cxhttp://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.htmlhttps://www.oracle.com/security-alerts/cpujan2020.htmlhttps://access.redhat.com/errata/RHEA-2020:0330https://access.redhat.com/errata/RHSA-2020:0573https://access.redhat.com/errata/RHSA-2020:0579https://access.redhat.com/errata/RHSA-2020:0597https://access.redhat.com/errata/RHSA-2020:0602https://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947127https://nvd.nist.govhttps://security.archlinux.org/CVE-2019-16775
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-22460CVE-2024-4646CVE-2024-29212IMAPCVE-2023-36672CVE-2024-34547command injectionCVE-2024-4651stored XSS
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook