SB2020020426 - Red Hat Enterprise Linux 8 update for nodejs:12
Published: February 4, 2020 Updated: February 25, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Symlink following (CVE-ID: CVE-2019-16775)
The vulnerability allows a remote attacker to perform directory traversal attacks.
Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of node_modules. It is possible for packages to create symlinks to files outside of the node_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running the npm install are affected.
2) Improper input validation (CVE-ID: CVE-2019-16776)
The vulnerability allows a remote authenticated user to read and manipulate data.
The vulnerability exists due to improper input validation within the JavaScript (Node.js) component in Oracle GraalVM Enterprise Edition. A remote authenticated user can exploit this vulnerability to read and manipulate data.
3) Path traversal (CVE-ID: CVE-2019-16777)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. The software fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This only affects files in /usr/local/bin
A remote attacker can overwrite arbitrary files on the system.
Remediation
Install update from vendor's website.