SB2019121219 - Multiple vulnerabilities in bin-links package for Node.js

Description

This security bulletin contains information about 2 vulnerabilities.

1) Path traversal (CVE-ID: N/A)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences, which allows attackers to create arbitrary files in the system outside of the intended node_modules folder through the bin field.

2) UNIX symbolic link following (CVE-ID: N/A)

CWE-ID: CWE-61 - UNIX Symbolic Link (Symlink) Following

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a symlink following issue. A remote attacker can create a specially crafted symbolic link to files outside the thenode_modules folder through the bin field. This may allow attackers to access unauthorized files and gain access to sensitive information on the system.

Remediation

Install update from vendor's website.

References

• https://www.npmjs.com/advisories/1427
• https://www.npmjs.com/advisories/1435