CVSS: 4.4EPSS: 0%CPEs: 4EXPL: 1CVE-2020-15095 – Sensitive information exposure through logs in npm cli
https://notcve.org/view.php?id=CVE-2020-15095
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files. Las versiones de la CLI npm anteriores a 6.14.6, son susceptibles a una vulnerabilidad de exposición de información por medio de archivos de registro. La CLI admite las URL como "://[[:]@][:][:][/]". • https://github.com/ossf-cve-benchmark/CVE-2020-15095 http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07 https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq- • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.7EPSS: 0%CPEs: 6EXPL: 0CVE-2019-16777 – Arbitrary File Overwrite in npm CLI
https://notcve.org/view.php?id=CVE-2019-16777
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html https://access.redhat.com/errata/RHEA-2020:0330 https://access.redhat.com/errata/RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0602 https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr https://lists.fedoraproject&# • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-269: Improper Privilege Management •
CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0CVE-2019-16776 – Unauthorized File Access in npm CLI before before version 6.13.3
https://notcve.org/view.php?id=CVE-2019-16776
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html https://access.redhat.com/errata/RHEA-2020:0330 https://access.redhat.com/errata/RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0602 https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46 https://lists.fedoraproject&# • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.7EPSS: 0%CPEs: 8EXPL: 0CVE-2019-16775 – Unauthorized File Access in npm CLI before before version 6.13.3
https://notcve.org/view.php?id=CVE-2019-16775
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html https://access.redhat.com/errata/RHEA-2020:0330 https://access.redhat.com/errata/RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0602 https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx https://lists.fedoraproject&# • CWE-20: Improper Input Validation CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-61: UNIX Symbolic Link (Symlink) Following •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7408
https://notcve.org/view.php?id=CVE-2018-7408
An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue. Se ha descubierto un problema en un prelanzamiento de npm 5.7.0 2018-02-21 (marcado como "next: 5.7.0" y, por lo tanto, instalado automáticamente mediante un comando "npm upgrade -g npm" y anunciado en el blog del fabricante sin mencionar que se trata de un prelanzamiento). Podría permitir que los usuarios locales omitan las restricciones de acceso planeadas debido a que la propiedad de los directorios /etc y /usr se cambia de forma inesperada. Esto se relaciona con un problema "correctMkdir". • http://blog.npmjs.org/post/171169301000/v571 https://github.com/npm/npm/commit/74e149da6efe6ed89477faa81fef08eee7999ad0 https://github.com/npm/npm/issues/19883 • CWE-732: Incorrect Permission Assignment for Critical Resource •