CVE-2013-4116

lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

Published Bysecalert@redhat.com

Published DateApr 22, 2014, 14:23

Affected Versions(1)

npm(npm)

Introduced0

Fixed1.3.3

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
npm(npm)	0	1.3.3	N/A

Weakness Type (CWE):CWE-59

CVSS Metrics

Base Score

3.3

Vector String

AV:L/AC:M/Au:N/C:N/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

PARTIAL

References

http://www.openwall.com/lists/oss-security/2013/07/10/17
http://www.openwall.com/lists/oss-security/2013/07/11/9
http://www.securityfocus.com/bid/61083
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=715325
https://bugzilla.redhat.com/show_bug.cgi?id=983917
https://exchange.xforce.ibmcloud.com/vulnerabilities/87141
https://github.com/npm/npm/commit/f4d31693
https://github.com/npm/npm/issues/3635

Weakness Type (CWE):CWE-59

CVSS Metrics

Base Score

3.3

Vector String

AV:L/AC:M/Au:N/C:N/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

PARTIAL