CVE-2019-16775

Summary

CVE	CVE-2019-16775
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-12-13 01:15:00 UTC
Updated	2023-11-07 03:05:00 UTC
Description	Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Risk And Classification

Problem Types: CWE-61

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Cli Project	Cli	All	All	All	All
Application	Cli Project	Cli	All	All	All	All
Operating System	Fedoraproject	Fedora	31	All	All	All
Operating System	Fedoraproject	Fedora	31	All	All	All
Application	Npmjs	Npm	All	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Application	Oracle	Graalvm	19.3.0.2	All	All	All
Application	Oracle	Graalvm	20.3.3	All	All	All
Application	Oracle	Graalvm	21.2.2	All	All	All
Application	Oracle	Graalvm	19.3.0.2	All	All	All
Operating System	Redhat	Enterprise Linux	8.0	All	All	All
Operating System	Redhat	Enterprise Linux	8.0	All	All	All
Operating System	Redhat	Enterprise Linux Eus	8.1	All	All	All
Operating System	Redhat	Enterprise Linux Eus	8.1	All	All	All

References

Reference	Source	Link	Tags
The npm Blog — Binary Planting with the npm CLI	MISC	blog.npmjs.org	Third Party Advisory
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
[SECURITY] Fedora 31 Update: nodejs-12.14.1-3.fc31 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Oracle Critical Patch Update Advisory - January 2020	MISC	www.oracle.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Unauthorized File Access · Advisory · npm/cli · GitHub	CONFIRM	github.com	Third Party Advisory
[SECURITY] Fedora 31 Update: nodejs-12.14.1-3.fc31 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[security-announce] openSUSE-SU-2020:0059-1: important: Security update	SUSE	lists.opensuse.org	Mailing List, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

296077 Oracle Solaris 11.4 Support Repository Update (SRU) 18.4.0 Missing (CPUJAN2020)
940003 AlmaLinux Security Update for nodejs:10 (ALSA-2020:0579)
960732 Rocky Linux Security Update for nodejs:10 (RLSA-2020:0579)
980298 Nodejs (npm) Security Update for npm (GHSA-m6cx-g6qm-p2cx)