Access Restriction Bypass in npm

Do your applications use this vulnerable package? Test your applications

Overview

npm is a package manager for JavaScript.

Affected versions of this package are vulnerable to Access Restriction Bypass. It might allow local users to bypass intended filesystem access restrictions due to ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue.

Remediation

Upgrade npm to version 5.7.1 or higher.

References

GitHub Commit
GitHub Issue

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

None
Integrity

Low
Availability

None

Credit: Unknown
CVE: CVE-2018-7408
CWE: CWE-284
Snyk ID: npm:npm:20180222
Disclosed: 22 Feb, 2018
Published: 21 Mar, 2018

Access Restriction Bypass
Affecting npm package, versions <5.7.1

Overview

Remediation

References

CVSS Score

Access Restriction Bypass Affecting npm package, versions <5.7.1

Overview

Remediation

References

Access Restriction Bypass
Affecting npm package, versions <5.7.1