Bug 1788310 (CVE-2019-16776)
| Summary: | CVE-2019-16776 npm: Arbitrary file write via constructed entry in the package.json bin field | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | avibelli, bgeorges, chazlett, dbeveniu, dkreling, hesilva, hhorak, jbalunas, jorton, jpallich, jwon, krathod, lthon, mrunge, mszynkie, nodejs-maint, nodejs-sig, pgallagh, rruss, scorneli, sgallagh, tchollingsworth, thrcka, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | npm 6.13.3, nodejs 8.17.0, nodejs 10.18.0, nodejs 12.14.0, nodejs 13.4.0 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-02-24 15:49:41 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1788311, 1788312, 1803123, 1803124, 1803158, 1803159, 1803160, 1803686, 1803687, 1805296, 1847735 | ||
| Bug Blocks: | 1788313 | ||
|
Description
Pedro Sampaio
2020-01-06 22:20:40 UTC
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 1788311] Affects: fedora-all [bug 1788312] Red Hat Quay versions up to v3.2.0 are affected by the use of yarn to install client side dependencies. Red Hat Quay uses the npm package from RHEL 7 so that will be updated once a fix for RHEL 7 is available. The issue in Yarn was assigned CVE-2019-10773, Red Hat Quay is affected by that issue, not this one. This vulnerability is out of security support scope for the following products: * Red Hat Openshift Application Runtimes Node.js 8 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This vulnerability was fixed in RHEL-8.1.0.z via the following erratum : https://access.redhat.com/errata/RHEA-2020:0330 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0573 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16776 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0579 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0597 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:0602 https://access.redhat.com/errata/RHSA-2020:0602 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:2625 https://access.redhat.com/errata/RHSA-2020:2625 |