GHSA-p6mr-pxg4-68hx

Опубликовано: 17 сент. 2019

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

Symlink Arbitrary File Overwrite in bower

Versions of bower prior to 1.8.8 are affected by an arbitrary file write vulnerability. The vulnerability occurs because bower does not verify that extracted symbolic links do not resolve to targets outside of the extraction root directory.

Recommendation

Update to version 1.8.8 or later

Ссылки

Пакеты

Наименование

bower

npm

Затронутые версииВерсия исправления

< 1.8.8

1.8.8

EPSS

Процентиль: 66%

0.00503

Низкий

7.5 High

CVSS3

CVE ID

CVE-2019-5484

Дефекты

CWE-22

Связанные уязвимости

CVE-2019-5484

CVSS3: 7.5

nvd

больше 6 лет назад

Bower before 1.8.8 has a path traversal vulnerability permitting file write in arbitrary locations via install command, which allows attackers to write arbitrary files when a malicious package is extracted.

EPSS

Процентиль: 66%

0.00503

Низкий

7.5 High

CVSS3

CVE ID

CVE-2019-5484

Дефекты

CWE-22