CVE-2021-43616 Information

Jun 07, 2022 cve

Description

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://docs.npmjs.com/cli/v7/commands/npm-ci https://github.com/npm/cli/issues/2701 https://github.com/icatalina/CVE-2021-43616 https://medium.com/cider-sec/this-time-we-were-lucky-85c0dcac94a0 https://security.netapp.com/advisory/ntap-20211210-0002/ https://github.com/npm/cli/commit/457e0ae61bbc55846f5af44afa4066921923490f https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NXNVFKOF5ZYH5NIRWHKN6O6UBCHDV6FE/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8

Share on: