Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-16775: npm Blog Archive: Binary Planting with the npm CLI

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

CVE
#vulnerability#nodejs#js#git#perl

tl;dr - Update to npm v6.13.4 as soon as possible on all your systems to fix a vulnerability allowing arbitrary path access.

The Vulnerabilities

In versions of npm prior to 6.13.3 (and versions of yarn prior to 1.21.1), a properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed.

In versions of npm prior to 6.13.4 (and all versions of yarn as of this announcement), it was possible for a globally-installed package with a binary entry to overwrite an existing binary in the target install location. (That is, not any arbitrary file on the system, but any file in /usr/local/bin.)

A mitigating factor for both vulnerabilities is that a malicious actor would have to get their victim to install the package with the specially crafted bin entry. However, as we have seen in the past, this is not an insurmountable barrier.

Current Risk

The npm, Inc. security team has been scanning the registry for examples of this attack, and have not found any published packages in the registry with this exploit. That does not guarantee that it hasn’t been used, but it does mean that it isn’t currently being used in published packages on the registry.

We will continue monitoring, and will take action to prevent any bad actors from exploiting this vulnerability in the future. However, we cannot scan all possible sources of npm packages (private registries, mirrors, git repositories, etc.), so it is important to update as soon as possible.

The Fix

The package.json parsing libraries in use in npm v6.13.3 were updated such that they would sanitize and validate all entries in the bin field to remove leading slashes, . and … path entries, and other means of path escape, using the well tested and highly reliable path utility built into Node.js.

The fix was reviewed by npm, Inc.’s security team, and showed that it prevented the arbitrary path manipulation reported.

The bin script linking libraries in use in npm v6.13.4 were updated such that, when installing binary entries of top-level globally installed packages, they will only overwrite existing binary files if they are currently installed on behalf of the same package being installed. For example, npm install –global foo could overwrite /usr/local/bin/foo if and only if /usr/local/bin/foo is currently a link to a previously installed version of foo.

This second fix was also reviewed by npm, Inc.’s security team, and showed that it prevented the bin file overwriting exploit.

To patch both vulnerabilities, please run npm install -g [email protected] as soon as possible.

Thank you!

The vulnerabilities were responsibly reported by Daniel Ruf, and we greatly appreciate Daniel’s help in keeping our community safe.

If you think you’ve found a security issue in the npm CLI, we encourage you to report it to [email protected] and we’ll help you through the triage and disclosure process.

Related news

CVE-2021-35576: Oracle Critical Patch Update Advisory - October 2021

Vulnerability in the Oracle Database Enterprise Edition Unified Audit component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker having Local Logon privilege with network access via Oracle Net to compromise Oracle Database Enterprise Edition Unified Audit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database Enterprise Edition Unified Audit accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

CVE-2020-2548: Oracle Critical Patch Update Advisory - January 2020

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907