#VU23880 Path traversal in NPM


Published: 2019-12-12 | Updated: 2020-02-24

Vulnerability identifier: #VU23880

Vulnerability risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16777

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
NPM
Web applications / CMS

Vendor: isaacs

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. The software fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This only affects files in /usr/local/bin

A remote attacker can overwrite arbitrary files on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

NPM: 1.1.25 - 6.13.3

External links
http://www.npmjs.com/advisories/1437

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM InfoSphere Information Server
Multiple vulnerabilities in IBM VM Recovery Manager DR
Gentoo update for Node.js
Red Hat Software Collections update for rh-nodejs10-nodejs
Red Hat Software Collections security update for rh-nodejs12-nodejs
Red Hat 8 update for nodejs:10
Red Hat update for nodejs:10 module
Red Hat Enterprise Linux 8 update for nodejs:12
OpenSUSE Linux update for nodejs8
Path traversal in npm package for Node.js