CVE-2021-39134 (CNNVD-202108-2752)

HIGH
中文标题:
NPM arborist 后置链接漏洞
英文标题:
UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
CVSS分数: 8.2
发布时间: 2021-08-31 16:55:11
漏洞类型: 后置链接
状态: PUBLISHED
数据质量分数: 0.30
数据版本: v3
漏洞描述
中文描述:

NPM arborist是美国npm(NPM)公司的一个软件包。用于可视化存储为平面列表的分层数据。 arborist 存在后置链接漏洞,该漏洞允许攻击者进行任意文件创建、任意文件覆盖和任意代码执行。

英文描述:

`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in `package.json` manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multiple dependencies differ only in the case of their name, Arborist's internal data structure saw them as separate items that could coexist within the same level in the `node_modules` hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as `file:/some/path`, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem. For example, a package `pwn-a` could define a dependency in their `package.json` file such as `"foo": "file:/some/path"`. Another package, `pwn-b` could define a dependency such as `FOO: "file:foo.tgz"`. On case-insensitive file systems, if `pwn-a` was installed, and then `pwn-b` was installed afterwards, the contents of `foo.tgz` would be written to `/some/path`, and any existing contents of `/some/path` would be removed. Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above.

CWE类型:
CWE-61 CWE-178
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
npm arborist < 2.8.2 - - cpe:2.3:a:npm:arborist:<_2.8.2:*:*:*:*:*:*:*
npmjs arborist * - - cpe:2.3:a:npmjs:arborist:*:*:*:*:*:node.js:*:*
oracle graalvm 20.3.3 - - cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*
oracle graalvm 21.2.0 - - cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*
siemens sinec_infrastructure_network_services * - - cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
无标题 x_refsource_CONFIRM
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_CONFIRM
cve.org
访问
CVSS评分详情
3.1 (cna)
HIGH
8.2
CVSS向量: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
机密性
HIGH
完整性
HIGH
可用性
NONE
时间信息
发布时间:
2021-08-31 16:55:11
修改时间:
2024-08-04 01:58:17
创建时间:
2025-11-11 15:37:00
更新时间:
2025-11-11 15:56:52
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2021-39134 2025-11-11 15:21:03 2025-11-11 07:37:00
NVD nvd_CVE-2021-39134 2025-11-11 14:57:41 2025-11-11 07:45:18
CNNVD cnnvd_CNNVD-202108-2752 2025-11-11 15:10:42 2025-11-11 07:56:52
版本与语言
当前版本: v3
主要语言: EN
支持语言:
EN ZH
安全公告
暂无安全公告信息
变更历史
v3 CNNVD
2025-11-11 15:56:52
vulnerability_type: 未提取 → 后置链接; cnnvd_id: 未提取 → CNNVD-202108-2752; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 后置链接
  • cnnvd_id: 未提取 -> CNNVD-202108-2752
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2025-11-11 15:45:18
affected_products_count: 1 → 5; data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • affected_products_count: 1 -> 5
  • data_sources: ['cve'] -> ['cve', 'nvd']