Описание
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat CodeReady Workspaces 1 | npm | Affected | ||
| Red Hat OpenShift Application Runtimes | nodejs8 | Out of support scope | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHEA-2020:0330 | 04.02.2020 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2020:0579 | 25.02.2020 |
| Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions | nodejs | Fixed | RHSA-2020:0573 | 24.02.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs10-nodejs | Fixed | RHSA-2020:0597 | 25.02.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs12-nodejs | Fixed | RHSA-2020:0602 | 25.02.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs8-nodejs | Fixed | RHSA-2020:2625 | 19.06.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS | rh-nodejs10-nodejs | Fixed | RHSA-2020:0597 | 25.02.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS | rh-nodejs12-nodejs | Fixed | RHSA-2020:0602 | 25.02.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.8 Medium
CVSS3
Связанные уязвимости
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary ...
npm Vulnerable to Global node_modules Binary Overwrite
Уязвимость набора инструментов командной строки пакетных менеджеров NPM и Yarn, позволяющая нарушителю перезаписать произвольные файлы в контексте целевого каталога
EPSS
4.8 Medium
CVSS3