CVE-2021-39135
UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. 1. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) 2. An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.
"@npmcli/arborist", la biblioteca que calcula los árboles de dependencia y maneja la jerarquía de carpetas node_modules para la interfaz de línea de comandos de npm, tiene como objetivo garantizar que se cumplan los contratos de dependencia de los paquetes, y que la extracción del contenido de los paquetes sea llevada a cabo siempre en la carpeta esperada. Esto es conseguido extrayendo el contenido de los paquetes en la carpeta "node_modules" de un proyecto. Si la carpeta "node_modules" del proyecto root o cualquiera de sus dependencias se sustituye de algún modo por un enlace simbólico, podría permitir a Arborist escribir las dependencias de los paquetes en cualquier ubicación arbitraria del sistema de archivos. Tenga en cuenta que los enlaces simbólicos contenidos en los artefactos de los paquetes se filtran, por lo que habría que emplear otro medio para crear un enlace simbólico "node_modules". 1. Un script "preinstall" podría sustituir "node_modules" por un enlace simbólico. (Esto es impedido usando "--ignore-scripts".) 2. Un atacante podría suministrar al objetivo un repositorio git, indicándole que ejecute "npm install --ignore-scripts" en root. Esto podría tener éxito, porque "npm install --ignore-scripts" no suele ser capaz de realizar cambios fuera del directorio del proyecto, por lo que podría considerarse seguro. Esto está parcheado en @npmcli/arborist versión 2.8.2 que se incluye en npm versiones v7.20.7 y superiores. Para más información, incluyendo soluciones, consulte la referencia documento GHSA-gmw6-94gg-2rc2
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-08-16 CVE Reserved
- 2021-08-31 CVE Published
- 2024-05-16 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-59: Improper Link Resolution Before File Access ('Link Following')
- CWE-61: UNIX Symbolic Link (Symlink) Following
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2 | Third Party Advisory | |
https://www.npmjs.com/package/%40npmcli/arborist | X_refsource_misc |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpuoct2021.html | 2023-11-07 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Npmjs Search vendor "Npmjs" | Arborist Search vendor "Npmjs" for product "Arborist" | < 2.8.2 Search vendor "Npmjs" for product "Arborist" and version " < 2.8.2" | node.js |
Affected
| in | Npmjs Search vendor "Npmjs" | Npm Search vendor "Npmjs" for product "Npm" | < 7.20.7 Search vendor "Npmjs" for product "Npm" and version " < 7.20.7" | - |
Safe
|
Oracle Search vendor "Oracle" | Graalvm Search vendor "Oracle" for product "Graalvm" | 20.3.3 Search vendor "Oracle" for product "Graalvm" and version "20.3.3" | enterprise |
Affected
| ||||||
Oracle Search vendor "Oracle" | Graalvm Search vendor "Oracle" for product "Graalvm" | 21.2.0 Search vendor "Oracle" for product "Graalvm" and version "21.2.0" | enterprise |
Affected
| ||||||
Siemens Search vendor "Siemens" | Sinec Infrastructure Network Services Search vendor "Siemens" for product "Sinec Infrastructure Network Services" | < 1.0.1.1 Search vendor "Siemens" for product "Sinec Infrastructure Network Services" and version " < 1.0.1.1" | - |
Affected
|