Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-4116

Overview

Vulnerability Score 3.3 3.3
CVE Id CVE-2013-4116
Last Modified 23 Apr 2014 08:10:44
Published 22 Apr 2014 10:23:34
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector LOCAL
Access Complexity MEDIUM
Authentication NONE

CVE-2013-4116

Summary

lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

Vulnerable Systems

Application

  • Npmjs Node Packaged Modules 1.3.2


References

CONFIRM - https://github.com/npm/npm/issues/3635

CONFIRM - https://github.com/npm/npm/commit/f4d31693

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=983917

CONFIRM - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=715325

XF - node-packaged-cve20134116-symlink(87141)

BID - 61083

MLIST - [oss-security] 20130711 Re: npm uses predictable temporary filenames when unpacking tarballs

MLIST - [oss-security] 20130710 npm uses predictable temporary filenames when unpacking tarballs


Last Updated: 27 May 2016 11:05:03