Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
{
"unresolved_ranges": [
{
"vendor_product": "fedoraproject:fedora",
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "31"
},
{
"last_affected": "31"
}
],
"source": "CPE_STRING"
},
{
"vendor_product": "opensuse:leap",
"cpes": [
"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "15.1"
},
{
"last_affected": "15.1"
}
]
},
{
"vendor_product": "redhat:enterprise_linux",
"cpes": [
"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "8.0"
},
{
"last_affected": "8.0"
}
],
"source": "CPE_STRING"
},
{
"vendor_product": "redhat:enterprise_linux_eus",
"cpes": [
"cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "8.1"
},
{
"last_affected": "8.1"
}
],
"source": "CPE_STRING"
}
]
}