RSS   Vulnerabilities for 'NPM'   RSS

2021-11-13
 
CVE-2021-43616

CWE-345
 

 
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.

 
2018-02-22
 
CVE-2018-7408

CWE-732
 

 
An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue.

 

 >>> Vendor: Npmjs 5 Products
Node packaged modules
Marked
NPM
Npm-user-validate
Hosted-git-info


Copyright 2024, cxsecurity.com

 

Back to Top