CVE-2019-16775 – Unauthorized File Access in npm CLI before before version 6.13.3
https://notcve.org/view.php?id=CVE-2019-16775
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html https://access.redhat.com/errata/RHEA-2020:0330 https://access.redhat.com/errata/RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0602 https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx https://lists.fedoraproject • CWE-20: Improper Input Validation CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-61: UNIX Symbolic Link (Symlink) Following •
CVE-2018-7408
https://notcve.org/view.php?id=CVE-2018-7408
An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue. Se ha descubierto un problema en un prelanzamiento de npm 5.7.0 2018-02-21 (marcado como "next: 5.7.0" y, por lo tanto, instalado automáticamente mediante un comando "npm upgrade -g npm" y anunciado en el blog del fabricante sin mencionar que se trata de un prelanzamiento). Podría permitir que los usuarios locales omitan las restricciones de acceso planeadas debido a que la propiedad de los directorios /etc y /usr se cambia de forma inesperada. Esto se relaciona con un problema "correctMkdir". • http://blog.npmjs.org/post/171169301000/v571 https://github.com/npm/npm/commit/74e149da6efe6ed89477faa81fef08eee7999ad0 https://github.com/npm/npm/issues/19883 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2016-3956
https://notcve.org/view.php?id=CVE-2016-3956
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers. La CLI en npm en versiones anteriores a 2.15.1 y 3.x en versiones anteriores a 3.8.3, tal como se utiliza en Node.js 0.10 en versiones anteriores a 0.10.44, 0.12 en versiones anteriores a 0.12.13, 4 en versiones anteriores a 4.4.2 y 5 en versiones anteriores a 5.10.0, incluye tokens portadores con peticiones arbitrarias, lo que permite a servidores HTTP remotos obtener información sensible leyendo cabeceras de autorización. • http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability http://www-01.ibm.com/support/docview.wss?uid=swg21980827 https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29 https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401 https://github.com/npm/npm/issues/8380 https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •