From be5d693fc2657885bb6bb6b6074ae701956befbe Mon Sep 17 00:00:00 2001 From: Robert Schultheis Date: Thu, 12 Dec 2019 17:24:34 -0700 Subject: [PATCH] Add CVE-2019-16775 for GHSA-m6cx-g6qm-p2cx --- 2019/16xxx/CVE-2019-16775.json | 90 ++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 2019/16xxx/CVE-2019-16775.json diff --git a/2019/16xxx/CVE-2019-16775.json b/2019/16xxx/CVE-2019-16775.json new file mode 100644 index 00000000000..488e0428f59 --- /dev/null +++ b/2019/16xxx/CVE-2019-16775.json @@ -0,0 +1,90 @@ +{ + "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", + "ID": "CVE-2019-16775", + "STATE": "PUBLIC", + "TITLE": "Unauthorized File Access in npm CLI before before version 6.13.3" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "cli", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "< 6.13.3", + "version_value": "6.13.3" + } + ] + } + } + ] + }, + "vendor_name": "npm" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed.\n\nThis behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.7, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-61: UNIX Symbolic Link (Symlink) Following" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx", + "refsource": "CONFIRM", + "url": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx" + }, + { + "name": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli", + "refsource": "MISC", + "url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli" + } + ] + }, + "source": { + "advisory": "GHSA-m6cx-g6qm-p2cx", + "discovery": "UNKNOWN" + } +}