CVE-2018-7408Incorrect Permission Assignment in NPM

CWE-732Incorrect Permission Assignment5 documents5 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 87.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Npmjs NPM
Timeline
PublishedFeb 22
Latest updateMay 13

Description

An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

npmnpmjs/npm< 5.7.1
NVDnpmjs/npm5.7.0

🔴Vulnerability Details

3
OSV
Incorrect Permission Assignment for Critical Resource in NPM2022-05-13
GHSA
Incorrect Permission Assignment for Critical Resource in NPM2022-05-13
CVEList
CVE-2018-7408: An issue was discovered in an npm 52018-02-22

📋Vendor Advisories

1
Debian
CVE-2018-7408: npm - An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next:...2018
CVE-2018-7408 — Incorrect Permission Assignment in NPM | cvebase