Bug 2098556 (CVE-2022-29244) - CVE-2022-29244 nodejs: npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace
Summary: CVE-2022-29244 nodejs: npm pack ignores root-level .gitignore and .npmignore ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-29244
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2098559 2098560 2098561 2098563 2098564 2098565 2098566 2098567 2098568 2104752 2104753 2104754 2104755 2104756 2124939
Blocks: 2098557
TreeView+ depends on / blocked
 
Reported: 2022-06-20 05:54 UTC by Avinash Hanwate
Modified: 2022-11-28 12:55 UTC (History)
10 users (show)

Fixed In Version: Node.js 16.15.1, Node.js 17.19.1, Node.js 18.3.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in npm. This security issue occurs because the npm pack ignores root-level ".gitignore" and ".npmignore" file exclusion directives when run in a workspace or with a workspace flag (for example, --workspaces, --workspace=<name>). Anyone who has run 'npm pack' or 'npm publish' inside a workspace has published files into the npm registry they did not intend to include. This flaw exposes sensitive information to an unauthorized user or an attacker.
Clone Of:
Environment:
Last Closed: 2022-11-28 12:55:41 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:6595 0 None None None 2022-09-20 12:24:10 UTC

Description Avinash Hanwate 2022-06-20 05:54:05 UTC 
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.

https://github.com/nodejs/node/pull/43210
https://github.com/nodejs/node/releases/tag/v18.3.0
https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52
https://github.com/npm/cli/tree/latest/workspaces/libnpmpack
https://github.com/nodejs/node/releases/tag/v17.9.1
https://github.com/npm/npm-packlist
https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish
https://github.com/npm/cli/releases/tag/v8.11.0
https://github.com/nodejs/node/releases/tag/v16.15.1
Comment 1 Avinash Hanwate 2022-06-20 06:03:27 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2098559]
Affects: fedora-all [bug 2098563]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2098564]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2098560]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2098565]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2098566]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2098561]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2098567]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2098568]
Comment 5 errata-xmlrpc 2022-09-20 12:24:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595
Comment 7 Product Security DevOps Team 2022-11-28 12:55:38 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-29244
Note You need to log in before you can comment on or make changes to this bug.