Bug 2050282 (CVE-2021-43616)

Summary: CVE-2021-43616 npm: npm ci succeeds when package-lock.json doesn't match package.json
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bdettelb, caswilli, dkuc, extras-orphan, fjansen, hhorak, jburrell, jhouska, jorton, jwong, kaycoth, micjohns, mrunge, nodejs-maint, nodejs-sig, psegedy, sgallagh, sthirugn, thrcka, tkasparek, tsasak, vkumar, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: npm 8.4.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in npm. The npm ci command proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-02 13:32:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2050283, 2050284, 2050285, 2070011, 2070012, 2070013, 2070014, 2070015    
Bug Blocks: 2050286    

Description Pedro Sampaio 2022-02-03 15:54:51 UTC 
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.

References:

https://docs.npmjs.com/cli/v7/commands/npm-ci
https://github.com/npm/cli/issues/2701
https://github.com/icatalina/CVE-2021-43616
https://medium.com/cider-sec/this-time-we-were-lucky-85c0dcac94a0
https://security.netapp.com/advisory/ntap-20211210-0002/
Comment 1 Pedro Sampaio 2022-02-03 15:55:19 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 2050285]
Affects: fedora-all [bug 2050284]


Created npm tracking bugs for this issue:

Affects: epel-7 [bug 2050283]
Comment 4 Mauro Matteo Cascella 2022-03-29 17:00:14 UTC 
Upstream issues:
https://github.com/npm/cli/issues/2701
https://github.com/npm/cli/issues/3947

Upstream PR:
https://github.com/npm/cli/pull/4363

Upstream commit:
https://github.com/npm/cli/commit/457e0ae61bbc55846f5af44afa4066921923490f
Comment 7 errata-xmlrpc 2022-05-30 12:11:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:4796 https://access.redhat.com/errata/RHSA-2022:4796
Comment 10 Product Security DevOps Team 2022-09-02 13:32:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-43616