{"containers": {"cna": {"affected": [{"product": "cli", "vendor": "npm", "versions": [{"lessThan": "6.13.3", "status": "affected", "version": "< 6.13.3", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-04-07T18:33:09", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"name": "openSUSE-SU-2020:0059", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"}, {"name": "FEDORA-2020-595ce5e3cc", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"}, {"name": "RHEA-2020:0330", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHEA-2020:0330"}, {"name": "RHSA-2020:0573", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0573"}, {"name": "RHSA-2020:0579", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0579"}, {"name": "RHSA-2020:0597", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0597"}, {"name": "RHSA-2020:0602", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0602"}], "source": {"advisory": "GHSA-x8qc-rrcw-4r46", "discovery": "UNKNOWN"}, "title": "Unauthorized File Access in npm CLI before before version 6.13.3", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2019-16776", "STATE": "PUBLIC", "TITLE": "Unauthorized File Access in npm CLI before before version 6.13.3"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "cli", "version": {"version_data": [{"version_affected": "<", "version_name": "< 6.13.3", "version_value": "6.13.3"}]}}]}, "vendor_name": "npm"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli", "refsource": "MISC", "url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"}, {"name": "https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46", "refsource": "CONFIRM", "url": "https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46"}, {"name": "https://www.oracle.com/security-alerts/cpujan2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"name": "openSUSE-SU-2020:0059", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"}, {"name": "FEDORA-2020-595ce5e3cc", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"}, {"name": "RHEA-2020:0330", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHEA-2020:0330"}, {"name": "RHSA-2020:0573", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0573"}, {"name": "RHSA-2020:0579", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0579"}, {"name": "RHSA-2020:0597", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0597"}, {"name": "RHSA-2020:0602", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0602"}]}, "source": {"advisory": "GHSA-x8qc-rrcw-4r46", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:24:48.040Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"name": "openSUSE-SU-2020:0059", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"}, {"name": "FEDORA-2020-595ce5e3cc", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"}, {"name": "RHEA-2020:0330", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHEA-2020:0330"}, {"name": "RHSA-2020:0573", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0573"}, {"name": "RHSA-2020:0579", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0579"}, {"name": "RHSA-2020:0597", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0597"}, {"name": "RHSA-2020:0602", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0602"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2019-16776", "datePublished": "2019-12-13T00:55:16", "dateReserved": "2019-09-24T00:00:00", "dateUpdated": "2024-08-05T01:24:48.040Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*", "matchCriteriaId": "A90BD4A6-0099-405D-933A-6D7A47C51970", "versionEndExcluding": "6.13.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:graalvm:19.3.0.2:*:*:*:enterprise:*:*:*", "matchCriteriaId": "6B257954-6EF3-4CBF-A8A7-699F70F98153", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*", "matchCriteriaId": "92BC9265-6959-4D37-BE5E-8C45E98992F8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."}, {"lang": "es", "value": "Las versiones del npm CLI en versiones anteriores a la 6.13.3 son vulnerables a una escritura de archivo arbitraria. No puede evitar el acceso a las carpetas fuera de la carpeta node_modules prevista a trav\u00e9s del campo bin. Una entrada construida correctamente en el campo bin de package.json permitir\u00eda al editor del paquete modificar y/o acceder a archivos arbitrarios en el sistema de un usuario cuando el paquete est\u00e9 instalado. Este comportamiento a\u00fan es posible mediante scripts de instalaci\u00f3n. Esta vulnerabilidad evita que un usuario utilice la opci\u00f3n de instalaci\u00f3n --ignore-scripts."}], "id": "CVE-2019-16776", "lastModified": "2023-11-07T03:05:43.720", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2019-12-13T01:15:10.913", "references": [{"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHEA-2020:0330"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0573"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0579"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0597"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0602"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHEA-2020:0330", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:12-8010020200116150415.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-02-04T00:00:00Z"}, {"advisory": "RHSA-2020:0579", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:10-8010020200213140254.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0573", "cpe": "cpe:/a:redhat:rhel_e4s:8.0", "package": "nodejs:10-8000020200214110450.f8e95b4e", "product_name": "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date": "2020-02-24T00:00:00Z"}, {"advisory": "RHSA-2020:0597", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-nodejs-0:10.19.0-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0602", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.16.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:2625", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs8-nodejs-0:8.17.0-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-06-19T00:00:00Z"}, {"advisory": "RHSA-2020:0597", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-nodejs-0:10.19.0-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0602", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.16.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0597", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-nodejs-0:10.19.0-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0602", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.16.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:2625", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs8-nodejs-0:8.17.0-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-06-19T00:00:00Z"}, {"advisory": "RHSA-2020:0597", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-nodejs-0:10.19.0-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0602", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.16.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:2625", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs8-nodejs-0:8.17.0-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-06-19T00:00:00Z"}], "bugzilla": {"description": "npm: Arbitrary file write via constructed entry in the package.json bin field", "id": "1788310", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1788310"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-20", "details": ["Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option."], "name": "CVE-2019-16776", "package_state": [{"cpe": "cpe:/a:redhat:codeready_workspaces:1.", "fix_state": "Affected", "package_name": "npm", "product_name": "Red Hat CodeReady Workspaces 1"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Out of support scope", "package_name": "nodejs8", "product_name": "Red Hat OpenShift Application Runtimes"}], "public_date": "2019-12-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-16776\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-16776"], "threat_severity": "Low", "upstream_fix": "nodejs 8.17.0, nodejs 10.18.0, nodejs 12.14.0, nodejs 13.4.0, npm 6.13.3"}