GHSA-v3jv-wrf4-5845
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v3jv-wrf4-5845
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-v3jv-wrf4-5845/GHSA-v3jv-wrf4-5845.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-v3jv-wrf4-5845
- Aliases
- Related
- Published
- 2020-09-01T16:03:34Z
- Modified
- 2023-11-08T03:57:19.995829Z
- Summary
- Local Privilege Escalation in npm
- Details
-
Affected versions of
npmuse predictable temporary file names during archive unpacking. If an attacker can create a symbolic link at the location of one of these temporary file names, the attacker can arbitrarily write to any file that the user which owns thenpmprocess has permission to write to, potentially resulting in local privilege escalation.Recommendation
Update to version 1.3.3 or later.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-59" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2020-08-31T18:12:39Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2013-4116
- https://github.com/npm/npm/issues/3635
- https://github.com/npm/npm/commit/f4d31693
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=715325
- https://bugzilla.redhat.com/show_bug.cgi?id=983917
- https://exchange.xforce.ibmcloud.com/vulnerabilities/87141
- https://github.com/npm/npm
- https://www.npmjs.com/advisories/152
- http://www.openwall.com/lists/oss-security/2013/07/10/17
- http://www.openwall.com/lists/oss-security/2013/07/11/9
- http://www.securityfocus.com/bid/61083
Affected packages
npm / npm
Package
- Name
- npm
- View open source insights on deps.dev
- Purl
- pkg:npm/npm