All errata/sisyphus/ALT-PU-2019-3385-2
ALT-PU-2019-3385-2

Package update npm in branch sisyphus

Version6.13.4-alt1
Task#243521
Published2026-02-04
Max severityHIGH
Severity:

Closed issues (9)

BDU:2019-04689
HIGH7.7

Уязвимость набора инструментов командной строки пакетных менеджеров NPM и Yarn, позволяющая нарушителю перезаписать произвольные файлы в контексте целевого каталога

Published: 2019-12-17Modified: 2020-02-10
CVSS 3.xHIGH 7.7
CVSS:3.x/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
CVSS 2.0HIGH 7.1
CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:C/A:N
References
BDU:2019-04690
HIGH7.7

Уязвимость набора инструментов командной строки пакетных менеджеров NPM и Yarn, позволяющая нарушителю записывать произвольные файлы

Published: 2019-12-17Modified: 2020-02-10
CVSS 3.xHIGH 7.7
CVSS:3.x/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
CVSS 2.0HIGH 7.1
CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:C/A:N
References
BDU:2019-04691
HIGH7.7

Уязвимость набора инструментов командной строки пакетных менеджеров NPM и Yarn, позволяющая нарушителю записывать произвольные файлы

Published: 2019-12-17Modified: 2020-02-10
CVSS 3.xHIGH 7.7
CVSS:3.x/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
CVSS 2.0HIGH 7.1
CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:C/A:N
References
CVE-2019-16775
MEDIUM6.5

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Published: 2019-12-13Modified: 2024-11-21
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
References
CVE-2019-16776
HIGH8.1

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Published: 2019-12-13Modified: 2024-11-21
CVSS 2.0MEDIUM 5.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS 3.xHIGH 8.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
References
CVE-2019-16777
MEDIUM6.5

Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Published: 2019-12-13Modified: 2024-11-21
CVSS 2.0MEDIUM 5.5
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:P
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
References
GHSA-4328-8hgf-7wjr
HIGH7.7

npm Vulnerable to Global node_modules Binary Overwrite

Published: 2019-12-13Modified: 2022-08-11
CVSS 3.xHIGH 7.7
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
References
GHSA-m6cx-g6qm-p2cx
HIGH7.7

Arbitrary File Write in npm

Published: 2019-12-13Modified: 2021-10-22
CVSS 3.xHIGH 7.7
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
References
GHSA-x8qc-rrcw-4r46
HIGH7.7

npm symlink reference outside of node_modules

Published: 2019-12-13Modified: 2022-08-11
CVSS 3.xHIGH 7.7
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
References