CVE-2021-39134

CWE-61 CWE-178 CWE-597 documents6 sources

Severity

7.8HIGH

EPSS

0.7%

top 27.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

NPM Arborist Npmjs Arborist Siemens Sinec Infrastructure Network Services +2 more

Timeline

PublishedAug 31

Description

`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in `package.json` manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.8

Affected Packages6 packages

▶npm@npmcli/arborist< 2.8.2

▶CVEListV5npm/arborist< 2.8.2

▶NVDnpmjs/arborist< 2.8.2

▶NVDsiemens/sinec_infrastructure_network_services< 1.0.1.1

▶Debiannpm< 7.24.0+ds-2+2

Patches

Patch: cert-portal.siemens.com ↗Patch: www.oracle.com ↗Patch: cert-portal.siemens.com ↗

🔴Vulnerability Details

OSV

@npmcli/arborist vulnerable to UNIX Symbolic Link (Symlink) Following↗2021-08-31

▶

OSV

CVE-2021-39134: `@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, a↗2021-08-31

▶

GHSA

@npmcli/arborist vulnerable to UNIX Symbolic Link (Symlink) Following↗2021-08-31

▶

CVEList

UNIX Symbolic Link (Symlink) Following in @npmcli/arborist↗2021-08-31

▶

📋Vendor Advisories

Red Hat

nodejs-arborist: symlink following vulnerability↗2021-08-31

▶

Debian

CVE-2021-39134: npm - `@npmcli/arborist`, the library that calculates dependency trees and manages the...↗2021

▶