Vulnerability Name:

CVE-2022-29244 (CCN-228303)

Assigned:2022-04-14
Published:2022-04-14
Updated:2022-10-27
Summary:npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.7 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
5.0 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-200
CWE-212
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2022-29244

Source: XF
Type: UNKNOWN
nodejs-cve202229244-info-disc(228303)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/nodejs/node/pull/43210

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/nodejs/node/releases/tag/v16.15.1

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/nodejs/node/releases/tag/v17.9.1

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/nodejs/node/releases/tag/v18.3.0

Source: CCN
Type: npm GIT Repository
fix: pass prefix and workspaces to libnpmpack (#4917)

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/npm/cli/releases/tag/v8.11.0

Source: CCN
Type: npm GIT Repository
Packing does not respect root-level ignore files in workspaces

Source: MISC
Type: Third Party Advisory
https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52

Source: MISC
Type: Product, Third Party Advisory
https://github.com/npm/cli/tree/latest/workspaces/libnpmpack

Source: MISC
Type: Product, Third Party Advisory
https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish

Source: MISC
Type: Product, Third Party Advisory
https://github.com/npm/npm-packlist

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20220722-0007/

Source: CCN
Type: IBM Security Bulletin 6611979 (App Connect Enterprise)
IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote authenticated attacker due to Node.js (CVE-2022-29244, CVE-2022-33987)

Source: CCN
Type: IBM Security Bulletin 6837319 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container may be vulnerable to loss of confidentiality due to CVE-2022-29244

Source: CCN
Type: IBM Security Bulletin 6854981 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6955067 (Spectrum Protect Plus)
Security Vulnerabilities in moment, ansi-regex, Node.js, and minimatch may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-31129, CVE-2022-24785, CVE-2021-3807, CVE-2022-29244, CVE-2022-3517)

Source: CCN
Type: IBM Security Bulletin 6956237 (Spectrum Protect)
Security Vulnerabilities in moment, ansi-regex, Node.js, and minimatch may affect IBM Spectrum Protect Client and IBM Spectrum Protect for Space Management (CVE-2022-31129, CVE-2022-24785, CVE-2021-3807, CVE-2022-29244, CVE-2022-3517)

Source: CCN
Type: IBM Security Bulletin 6980799 (QRadar Data Synchronization App)
IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6980821 (QRadar Use Case Manager)
IBM QRadar Use Case Manager app is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6984799 (Watson Assistant for Cloud pak for Data)
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js npm module information disclosure (CVE-2022-29244)

Source: CCN
Type: IBM Security Bulletin 6988617 (InfoSphere Information Server)
IBM InfoSphere Information Server is affected but not classified as vulnerable to multiple vulnerabilities in Node.js

Source: CCN
Type: IBM Security Bulletin 7001867 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7005455 (Spectrum Discover)
IBM Spectrum Discover is vulnerable to multiple vulnerabilities

Source: CCN
Type: Mend Vulnerability Database
CVE-2022-29244

Vulnerable Configuration:Configuration 1:
  • cpe:/a:npmjs:npm:*:*:*:*:*:*:*:* (Version >= 7.9.0 and < 8.11.0)

    • Configuration 2:
  • cpe:/a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:nodejs:node.js:*:*:*:*:-:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect:8.1.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:12.0.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.6.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20226595
    P
    		RHSA-2022:6595: nodejs and nodejs-nodemon security and bug fix update (Moderate)
    2022-09-20
    oval:org.opensuse.security:def:754
    P
    		Security update for nodejs16 (Moderate)
    2022-09-12
    BACK
    npmjs npm *
    netapp ontap select deploy administration utility -
    nodejs node.js *
    ibm infosphere information server 11.7
    ibm app connect 11.0.0.0
    ibm integration bus 10.0.0.0
    ibm spectrum protect plus 10.1.6
    ibm spectrum protect plus 10.1.7
    ibm spectrum protect 8.1.7.0
    ibm spectrum protect plus 10.1.8
    ibm app connect enterprise 12.0.1.0
    ibm app connect enterprise 12.0.4.0
    ibm app connect enterprise certified container 4.1
    ibm app connect enterprise certified container 4.2
    ibm cloud pak for security 1.10.0.0
    ibm cloud pak for security 1.10.6.0