Published: 13/12/2019 Updated: 07/11/2023

CVSS v2 Base Score: 5.5 | Impact Score: 4.9 | Exploitability Score: 8

CVSS v3 Base Score: 8.1 | Impact Score: 5.2 | Exploitability Score: 2.8

VMScore: 490

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N

Versions of the npm CLI before 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Vulnerable Product	Search on Vulmon	Subscribe to Product
npmjs npm
opensuse leap 15.1
oracle graalvm 19.3.0.2
fedoraproject fedora 31
redhat enterprise linux 8.0
redhat enterprise linux eus 8.1

Debian Bug report logs - #947127 npm: CVE-2019-16775 CVE-2019-16776 CVE-2019-16777 Package: src:npm; Maintainer for src:npm is Debian Javascript Maintainers <pkg-javascript-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 21 Dec 2019 16:27:02 UTC Severity: important Tag ...

Synopsis Important: nodejs:10 security update Type/Severity Security Advisory: Important Topic An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 80 Update Services for SAP SolutionsRed Hat Product Security has rated this update as having a security impact of Important A Com ...

Synopsis Moderate: rh-nodejs8-nodejs security update Type/Severity Security Advisory: Moderate Topic An update for rh-nodejs8-nodejs is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System ...

Synopsis Important: rh-nodejs12-nodejs security update Type/Severity Security Advisory: Important Topic An update for rh-nodejs12-nodejs is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring S ...

Synopsis Important: rh-nodejs10-nodejs security update Type/Severity Security Advisory: Important Topic An update for rh-nodejs10-nodejs is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring S ...

Synopsis Important: nodejs:10 security update Type/Severity Security Advisory: Important Topic An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CV ...

Versions of the npm CLI prior to 6133 are vulnerable to an Arbitrary File Write It fails to prevent access to folders outside of the intended node_modules folder through the bin field A properly constructed entry in the packagejson bin field would allow a package publisher to modify and/or gain access to arbitrary files on a users system when ...

CWE-22 https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46 http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html https://www.oracle.com/security-alerts/cpujan2020.html https://access.redhat.com/errata/RHEA-2020:0330 https://access.redhat.com/errata/RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0602 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947127 https://nvd.nist.gov https://security.archlinux.org/CVE-2019-16776

CVE-2019-16776

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect