Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unauthorized File Access in npm CLI before before version 6.13.3
Vulnerability Description
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
npm CLI 路径遍历漏洞
Vulnerability Description
npm CLI是美国npm公司的一款软件包管理器。 npm CLI 6.13.3之前版本中存在路径遍历漏洞。攻击者可借助package.json文件的bin字段利用该漏洞访问node_modules文件夹之外的文件夹。
CVSS Information
N/A
Vulnerability Type
N/A