Bug 2050282 (CVE-2021-43616)
Summary: | CVE-2021-43616 npm: npm ci succeeds when package-lock.json doesn't match package.json | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | bdettelb, caswilli, dkuc, extras-orphan, fjansen, hhorak, jburrell, jhouska, jorton, jwong, kaycoth, micjohns, mrunge, nodejs-maint, nodejs-sig, psegedy, sgallagh, sthirugn, thrcka, tkasparek, tsasak, vkumar, zsvetlik |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | npm 8.4.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in npm. The npm ci command proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-09-02 13:32:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2050283, 2050284, 2050285, 2070011, 2070012, 2070013, 2070014, 2070015 | ||
Bug Blocks: | 2050286 |
Description
Pedro Sampaio
2022-02-03 15:54:51 UTC
Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 2050285] Affects: fedora-all [bug 2050284] Created npm tracking bugs for this issue: Affects: epel-7 [bug 2050283] Upstream issues: https://github.com/npm/cli/issues/2701 https://github.com/npm/cli/issues/3947 Upstream PR: https://github.com/npm/cli/pull/4363 Upstream commit: https://github.com/npm/cli/commit/457e0ae61bbc55846f5af44afa4066921923490f This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:4796 https://access.redhat.com/errata/RHSA-2022:4796 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-43616 |