{"containers": {"cna": {"affected": [{"product": "cli", "vendor": "npm", "versions": [{"lessThan": "6.13.3", "status": "affected", "version": "< 6.13.3", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-61", "description": "CWE-61: UNIX Symbolic Link (Symlink) Following", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-20T10:38:25", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"name": "openSUSE-SU-2020:0059", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"}, {"name": "FEDORA-2020-595ce5e3cc", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"}, {"name": "RHEA-2020:0330", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHEA-2020:0330"}, {"name": "RHSA-2020:0573", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0573"}, {"name": "RHSA-2020:0579", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0579"}, {"name": "RHSA-2020:0597", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0597"}, {"name": "RHSA-2020:0602", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0602"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"}], "source": {"advisory": "GHSA-m6cx-g6qm-p2cx", "discovery": "UNKNOWN"}, "title": "Unauthorized File Access in npm CLI before before version 6.13.3", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2019-16775", "STATE": "PUBLIC", "TITLE": "Unauthorized File Access in npm CLI before before version 6.13.3"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "cli", "version": {"version_data": [{"version_affected": "<", "version_name": "< 6.13.3", "version_value": "6.13.3"}]}}]}, "vendor_name": "npm"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-61: UNIX Symbolic Link (Symlink) Following"}]}]}, "references": {"reference_data": [{"name": "openSUSE-SU-2020:0059", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"}, {"name": "FEDORA-2020-595ce5e3cc", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"}, {"name": "RHEA-2020:0330", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHEA-2020:0330"}, {"name": "RHSA-2020:0573", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0573"}, {"name": "RHSA-2020:0579", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0579"}, {"name": "RHSA-2020:0597", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0597"}, {"name": "RHSA-2020:0602", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0602"}, {"name": "https://www.oracle.com/security-alerts/cpujan2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"name": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx", "refsource": "CONFIRM", "url": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx"}, {"name": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli", "refsource": "MISC", "url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"}]}, "source": {"advisory": "GHSA-m6cx-g6qm-p2cx", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:24:48.326Z"}, "title": "CVE Program Container", "references": [{"name": "openSUSE-SU-2020:0059", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"}, {"name": "FEDORA-2020-595ce5e3cc", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"}, {"name": "RHEA-2020:0330", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHEA-2020:0330"}, {"name": "RHSA-2020:0573", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0573"}, {"name": "RHSA-2020:0579", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0579"}, {"name": "RHSA-2020:0597", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0597"}, {"name": "RHSA-2020:0602", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0602"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2019-16775", "datePublished": "2019-12-13T00:55:15", "dateReserved": "2019-09-24T00:00:00", "dateUpdated": "2024-08-05T01:24:48.326Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*", "matchCriteriaId": "92BC9265-6959-4D37-BE5E-8C45E98992F8", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*", "matchCriteriaId": "A90BD4A6-0099-405D-933A-6D7A47C51970", "versionEndExcluding": "6.13.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:graalvm:19.3.0.2:*:*:*:enterprise:*:*:*", "matchCriteriaId": "6B257954-6EF3-4CBF-A8A7-699F70F98153", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*", "matchCriteriaId": "53B2BB06-A2F7-4603-89C3-C8500E55483A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:graalvm:21.2.2:*:*:*:enterprise:*:*:*", "matchCriteriaId": "9D3BBC5B-9553-4EA6-B345-F47FA8F92D64", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."}, {"lang": "es", "value": "Las versiones del npm CLI en versiones anteriores a la 6.13.3 son vulnerables a una escritura de archivo arbitraria. Es posible que los paquetes creen enlaces simb\u00f3licos a archivos fuera de la carpeta thenode_modules a trav\u00e9s del campo bin al momento de la instalaci\u00f3n. Una entrada construida correctamente en el campo bin de package.json permitir\u00eda a un editor de paquetes crear un enlace simb\u00f3lico que apunte a archivos arbitrarios en el sistema de un usuario cuando se instala el paquete. Este comportamiento todav\u00eda es posible mediante los scripts de instalaci\u00f3n. Esta vulnerabilidad evita que un usuario utilice la opci\u00f3n de instalaci\u00f3n --ignore-scripts."}], "id": "CVE-2019-16775", "lastModified": "2023-11-07T03:05:43.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2019-12-13T01:15:10.817", "references": [{"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHEA-2020:0330"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0573"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0579"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0597"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0602"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-61"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHEA-2020:0330", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:12-8010020200116150415.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-02-04T00:00:00Z"}, {"advisory": "RHSA-2020:0579", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:10-8010020200213140254.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0573", "cpe": "cpe:/a:redhat:rhel_e4s:8.0", "package": "nodejs:10-8000020200214110450.f8e95b4e", "product_name": "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date": "2020-02-24T00:00:00Z"}, {"advisory": "RHSA-2020:0597", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-nodejs-0:10.19.0-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0602", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.16.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:2625", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs8-nodejs-0:8.17.0-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-06-19T00:00:00Z"}, {"advisory": "RHSA-2020:0597", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-nodejs-0:10.19.0-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0602", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.16.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0597", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-nodejs-0:10.19.0-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0602", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.16.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:2625", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs8-nodejs-0:8.17.0-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-06-19T00:00:00Z"}, {"advisory": "RHSA-2020:0597", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-nodejs-0:10.19.0-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0602", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.16.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:2625", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs8-nodejs-0:8.17.0-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-06-19T00:00:00Z"}], "bugzilla": {"description": "npm: Symlink reference outside of node_modules folder through the bin field upon installation", "id": "1788305", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1788305"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-20", "details": ["Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."], "name": "CVE-2019-16775", "package_state": [{"cpe": "cpe:/a:redhat:codeready_workspaces:1.", "fix_state": "Affected", "package_name": "npm", "product_name": "Red Hat CodeReady Workspaces 1"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Out of support scope", "package_name": "nodejs8", "product_name": "Red Hat OpenShift Application Runtimes"}], "public_date": "2019-12-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-16775\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-16775"], "threat_severity": "Low", "upstream_fix": "nodejs 8.17.0, nodejs 10.18.0, nodejs 12.14.0, nodejs 13.4.0, npm 6.13.3"}