Bug 1190053 - (CVE-2021-39135) VUL-0: CVE-2021-39135: nodejs6,nodejs8,nodejs4,nodejs10,nodejs14,nodejs12: nodejs-arborist - symlink following vulnerability
(CVE-2021-39135)
VUL-0: CVE-2021-39135: nodejs6,nodejs8,nodejs4,nodejs10,nodejs14,nodejs12: no...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Adam Majer
Security Team bot
https://smash.suse.de/issue/308823/
CVSSv3.1:SUSE:CVE-2021-39135:8.1:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-09-01 10:54 UTC by Robert Frohl
Modified: 2022-01-18 14:38 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-09-01 10:54:53 UTC
rh#1999745

@npmcli/arborist, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder.

This is accomplished by extracting package contents into a project's node_modules folder.

If the node_modules folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system.

Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a node_modules symbolic link would have to be employed.

A preinstall script could replace node_modules with a symlink. (This is prevented by using --ignore-scripts.)
An attacker could supply the target with a git repository, instructing them to run npm install --ignore-scripts in the root. This may be successful, because npm install --ignore-scripts is typically not capable of making changes outside of the project directory, so it may be deemed safe.

Reference:
https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1999745
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39135
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39135
https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2
https://www.npmjs.com/package/@npmcli/arborist
Comment 1 OBSbugzilla Bot 2021-11-10 13:40:12 UTC
This is an autogenerated message for OBS integration:
This bug (1190053) was mentioned in
https://build.opensuse.org/request/show/930657 Factory / nodejs14
Comment 3 Swamp Workflow Management 2021-12-02 17:17:39 UTC
SUSE-SU-2021:3886-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.18.1-6.18.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2021-12-06 17:40:55 UTC
SUSE-SU-2021:3940-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.7-4.22.1
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs12-12.22.7-4.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-12-06 18:03:58 UTC
openSUSE-SU-2021:3940-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs12-12.22.7-4.22.1
Comment 6 Swamp Workflow Management 2021-12-07 11:16:36 UTC
openSUSE-SU-2021:3964-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs14-14.18.1-15.21.2
Comment 7 Swamp Workflow Management 2021-12-07 11:18:51 UTC
SUSE-SU-2021:3964-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.18.1-15.21.2
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs14-14.18.1-15.21.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-12-10 14:33:48 UTC
openSUSE-SU-2021:1552-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs14-14.18.1-lp152.17.1
Comment 9 Swamp Workflow Management 2021-12-12 05:18:40 UTC
openSUSE-SU-2021:1574-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs12-12.22.7-lp152.3.21.1
Comment 11 Swamp Workflow Management 2022-01-18 14:38:36 UTC
SUSE-SU-2022:0101-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602,1194511,1194512,1194513,1194514
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135,CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.9-1.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.