CVE-2021-39135

CWE-61CWE-597 documents6 sources
Severity
7.8HIGH
EPSS
0.2%
top 56.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
NPM ArboristNpmjs ArboristSiemens Sinec Infrastructure Network Services+2 more
Timeline
PublishedAug 31

Description

`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a sym

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.8

Affected Packages6 packages

npm@npmcli/arborist< 2.8.2
CVEListV5npm/arborist< 2.8.2
NVDnpmjs/arborist< 2.8.2
Debiannpm< 7.24.0+ds-2+2

Patches

Patch: cert-portal.siemens.comPatch: www.oracle.comPatch: cert-portal.siemens.com

🔴Vulnerability Details

4
GHSA
UNIX Symbolic Link (Symlink) Following in @npmcli/arborist2021-08-31
OSV
UNIX Symbolic Link (Symlink) Following in @npmcli/arborist2021-08-31
OSV
CVE-2021-39135: `@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aim2021-08-31
CVEList
UNIX Symbolic Link (Symlink) Following in @npmcli/arborist2021-08-31

📋Vendor Advisories

2
Red Hat
nodejs-arborist: symlink following vulnerability2021-08-31
Debian
CVE-2021-39135: npm - `@npmcli/arborist`, the library that calculates dependency trees and manages the...2021