Описание
Local Privilege Escalation in npm
Affected versions of npm use predictable temporary file names during archive unpacking. If an attacker can create a symbolic link at the location of one of these temporary file names, the attacker can arbitrarily write to any file that the user which owns the npm process has permission to write to, potentially resulting in local privilege escalation.
Recommendation
Update to version 1.3.3 or later.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2013-4116
- https://github.com/npm/npm/issues/3635
- https://github.com/npm/npm/commit/f4d31693
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=715325
- https://bugzilla.redhat.com/show_bug.cgi?id=983917
- https://exchange.xforce.ibmcloud.com/vulnerabilities/87141
- https://www.npmjs.com/advisories/152
- http://www.openwall.com/lists/oss-security/2013/07/10/17
- http://www.openwall.com/lists/oss-security/2013/07/11/9
- http://www.securityfocus.com/bid/61083
Пакеты
npm
< 1.3.3
1.3.3
Связанные уязвимости
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local us ...