Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to create files on a user's system when the package is installed. It is only possible to affect files that the user running npm install has access to and it is not possible to overwrite files that already exist on disk. References: https://www.npmjs.com/advisories/1434 https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/ https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 1788311] Affects: fedora-all [bug 1788312]
Red Hat Quay versions up to v3.2.0 are affected by the use of yarn to install client side dependencies. Red Hat Quay uses the npm package from RHEL 7 so that will be updated once a fix for RHEL 7 is available.
The issue in Yarn was assigned CVE-2019-10773, Red Hat Quay is affected by that issue, not this one.
This vulnerability is out of security support scope for the following products: * Red Hat Openshift Application Runtimes Node.js 8 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This vulnerability was fixed in RHEL-8.1.0.z via the following erratum : https://access.redhat.com/errata/RHEA-2020:0330
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0573
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16776
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0579
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0597
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:0602 https://access.redhat.com/errata/RHSA-2020:0602
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:2625 https://access.redhat.com/errata/RHSA-2020:2625