org.webjars:npm@5.0.0-2 vulnerabilities

  • latest version

    5.0.0-2

  • first published

    10 years ago

  • latest version published

    6 years ago

  • licenses detected

  • package manager

  • Direct Vulnerabilities

    Known vulnerabilities in the org.webjars:npm package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Insertion of Sensitive Information into Log File

    org.webjars:npm is a package manager for JavaScript.

    Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File. The CLI supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.

    How to fix Insertion of Sensitive Information into Log File?

    There is no fixed version for org.webjars:npm.

    [0,)
    • H
    Arbitrary File Write

    org.webjars:npm is a package manager for JavaScript.

    Affected versions of this package are vulnerable to Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field.

    For npm, a properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

    How to fix Arbitrary File Write?

    Upgrade org.webjars:npm to version 6.14.5 or higher.

    [,6.14.5)
    • L
    Unauthorized File Access

    org.webjars:npm is a package manager for JavaScript.

    Affected versions of this package are vulnerable to Unauthorized File Access. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation.

    For npm, a properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

    How to fix Unauthorized File Access?

    There is no fixed version for org.webjars:npm.

    [0,)
    • H
    Arbitrary File Overwrite

    org.webjars:npm is a package manager for JavaScript.

    Affected versions of this package are vulnerable to Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This only affects files in /usr/local/bin.

    For npm, this behaviour is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

    How to fix Arbitrary File Overwrite?

    There is no fixed version for org.webjars:npm.

    [0,)
    • M
    Access Restriction Bypass

    org.webjars:npm is a package manager for JavaScript.

    Affected versions of this package are vulnerable to Access Restriction Bypass. It might allow local users to bypass intended filesystem access restrictions due to ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue.

    How to fix Access Restriction Bypass?

    There is no fixed version for org.webjars:npm.

    [0,)