CVE Vulnerabilities

CVE-2019-16777

Improper Privilege Management

Published: Dec 13, 2019 | Modified: Nov 07, 2023
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
5.5 MEDIUM
AV:N/AC:L/Au:S/C:N/I:P/A:P
RedHat/V2
RedHat/V3
4.8 LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
Ubuntu
MEDIUM

Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the –ignore-scripts install option.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Name Vendor Start Version End Version
Npm Npmjs * 6.13.4 (excluding)
Red Hat Enterprise Linux 8 RedHat nodejs:12-8010020200116150415.c27ad7f8 *
Red Hat Enterprise Linux 8 RedHat nodejs:10-8010020200213140254.c27ad7f8 *
Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions RedHat nodejs:10-8000020200214110450.f8e95b4e *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-nodejs10-nodejs-0:10.19.0-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-nodejs12-nodejs-0:12.16.1-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-nodejs8-nodejs-0:8.17.0-2.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS RedHat rh-nodejs10-nodejs-0:10.19.0-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS RedHat rh-nodejs12-nodejs-0:12.16.1-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS RedHat rh-nodejs10-nodejs-0:10.19.0-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS RedHat rh-nodejs12-nodejs-0:12.16.1-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS RedHat rh-nodejs8-nodejs-0:8.17.0-2.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS RedHat rh-nodejs10-nodejs-0:10.19.0-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS RedHat rh-nodejs12-nodejs-0:12.16.1-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS RedHat rh-nodejs8-nodejs-0:8.17.0-2.el7 *
Npm Ubuntu bionic *
Npm Ubuntu disco *
Npm Ubuntu eoan *
Npm Ubuntu groovy *
Npm Ubuntu hirsute *
Npm Ubuntu impish *
Npm Ubuntu kinetic *
Npm Ubuntu lunar *
Npm Ubuntu mantic *
Npm Ubuntu trusty *
Npm Ubuntu trusty/esm *
Npm Ubuntu xenial *

Potential Mitigations

References