| Vulnerability Name: | CVE-2021-43616 (CCN-213469) | ||||||||||||||||||
| Assigned: | 2021-02-14 | ||||||||||||||||||
| Published: | 2021-02-14 | ||||||||||||||||||
| Updated: | 2022-10-17 | ||||||||||||||||||
| Summary: | ** DISPUTED ** The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. Note: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI. | ||||||||||||||||||
| CVSS v3 Severity: | 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 8.6 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:R)
8.6 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:R)
8.6 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:R)
| ||||||||||||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
| ||||||||||||||||||
| Vulnerability Type: | CWE-345 | ||||||||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2021-43616 Source: MISC Type: Product, Vendor Advisory https://docs.npmjs.com/cli/v7/commands/npm-ci Source: MISC Type: UNKNOWN https://docs.npmjs.com/cli/v8/commands/npm-ci Source: XF Type: UNKNOWN npm-cve202143616-code-exec(213469) Source: MISC Type: Third Party Advisory https://github.com/icatalina/CVE-2021-43616 Source: CONFIRM Type: Patch, Third Party Advisory https://github.com/npm/cli/commit/457e0ae61bbc55846f5af44afa4066921923490f Source: CCN Type: NPM GIT Repository [BUG] npm ci succeeds when package-lock.json doesn't match package.json #2701 Source: MISC Type: Exploit, Issue Tracking, Third Party Advisory https://github.com/npm/cli/issues/2701 Source: MISC Type: UNKNOWN https://github.com/npm/cli/issues/2701#issuecomment-972900511 Source: MISC Type: UNKNOWN https://github.com/npm/cli/issues/2701#issuecomment-979054224 Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2022-97b214b298 Source: MISC Type: Exploit, Third Party Advisory https://medium.com/cider-sec/this-time-we-were-lucky-85c0dcac94a0 Source: CONFIRM Type: Third Party Advisory https://security.netapp.com/advisory/ntap-20211210-0002/ Source: CCN Type: IBM Security Bulletin 6566889 (Spectrum Discover) Critical Vulnerabilities in libraries used by libraries that IBM Spectrum discover is using (libraries of libraries) Source: CCN Type: IBM Security Bulletin 6831849 (Cloud Pak for Watson AIOps) Multiple Vulnerabilities in CloudPak for Watson AIOPs Source: CCN Type: IBM Security Bulletin 6854981 (Cloud Pak for Security) IBM Cloud Pak for Security includes components with multiple known vulnerabilities | ||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration 3: Configuration RedHat 1: Configuration RedHat 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||
| Oval Definitions | |||||||||||||||||||
| |||||||||||||||||||
| BACK | |||||||||||||||||||