Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2019-16777

Опубликовано: 13 дек. 2019
Источник: nvd
CVSS3: 7.7
CVSS3: 6.5
CVSS2: 5.5
EPSS Низкий

Описание

Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*
Версия до 6.13.4 (исключая)
Конфигурация 2
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Конфигурация 3
cpe:2.3:a:oracle:graalvm:19.3.0.2:*:*:*:enterprise:*:*:*
Конфигурация 4
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
Конфигурация 5

Одно из

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*

EPSS

Процентиль: 52%
0.00287
Низкий

7.7 High

CVSS3

6.5 Medium

CVSS3

5.5 Medium

CVSS2

Дефекты

CWE-22
CWE-269

Связанные уязвимости

ubuntu логотип

CVE-2019-16777

CVSS3: 7.7
ubuntu
больше 5 лет назад

Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

redhat логотип

CVE-2019-16777

CVSS3: 4.8
redhat
больше 5 лет назад

Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

debian логотип

CVE-2019-16777

CVSS3: 7.7
debian
больше 5 лет назад

Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary ...

github логотип

GHSA-4328-8hgf-7wjr

CVSS3: 7.7
github
больше 5 лет назад

npm Vulnerable to Global node_modules Binary Overwrite

fstec логотип

BDU:2019-04689

CVSS3: 7.7
fstec
больше 5 лет назад

Уязвимость набора инструментов командной строки пакетных менеджеров NPM и Yarn, позволяющая нарушителю перезаписать произвольные файлы в контексте целевого каталога

EPSS

Процентиль: 52%
0.00287
Низкий

7.7 High

CVSS3

6.5 Medium

CVSS3

5.5 Medium

CVSS2

Дефекты

CWE-22
CWE-269