Published: 13/12/2019 Updated: 07/11/2023

CVSS v2 Base Score: 5.5 | Impact Score: 4.9 | Exploitability Score: 8

CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8

VMScore: 490

Vector: AV:N/AC:L/Au:S/C:N/I:P/A:P

Versions of the npm CLI before 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Vulnerable Product	Search on Vulmon	Subscribe to Product
npmjs npm
opensuse leap 15.1
oracle graalvm 19.3.0.2
fedoraproject fedora 31
redhat enterprise linux 8.0
redhat enterprise linux eus 8.1

Debian Bug report logs - #947127 npm: CVE-2019-16775 CVE-2019-16776 CVE-2019-16777 Package: src:npm; Maintainer for src:npm is Debian Javascript Maintainers <pkg-javascript-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 21 Dec 2019 16:27:02 UTC Severity: important Tag ...

Synopsis Important: nodejs:10 security update Type/Severity Security Advisory: Important Topic An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 80 Update Services for SAP SolutionsRed Hat Product Security has rated this update as having a security impact of Important A Com ...

Synopsis Moderate: rh-nodejs8-nodejs security update Type/Severity Security Advisory: Moderate Topic An update for rh-nodejs8-nodejs is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System ...

Synopsis Important: rh-nodejs12-nodejs security update Type/Severity Security Advisory: Important Topic An update for rh-nodejs12-nodejs is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring S ...

Synopsis Important: rh-nodejs10-nodejs security update Type/Severity Security Advisory: Important Topic An update for rh-nodejs10-nodejs is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring S ...

Synopsis Important: nodejs:10 security update Type/Severity Security Advisory: Important Topic An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CV ...

Versions of the npm CLI prior to 6134 are vulnerable to an Arbitrary File Overwrite It fails to prevent existing globally-installed binaries to be overwritten by other package installations For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overw ...

CWE-269 https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html https://www.oracle.com/security-alerts/cpujan2020.html https://access.redhat.com/errata/RHEA-2020:0330 https://access.redhat.com/errata/RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0602 https://security.gentoo.org/glsa/202003-48 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947127 https://nvd.nist.gov

CVE-2019-16777

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect