Fix CVE–2021–43616

[debricked]

CVE–2021–43616

Vulnerable dependency:     npm (npm)    7.24.2

Vulnerability details

Description

Insufficient Verification of Data Authenticity

The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

NVD

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.

CVSS details - 9.8

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

References

    NVD - CVE-2021-43616
    [BUG] npm ci succeeds when package-lock.json doesn't match package.json · Issue #2701 · npm/cli · GitHub
    npm-ci | npm Docs
    GitHub - icatalina/CVE-2021-43616: Repo demonstrating CVE-2021-43616 / https://github.com/npm/cli/issues/2701
    Our dependencies are under attack, and this time we were lucky… | by Rotem Bar | Cider Security | Medium
    CVE-2021-43616 NPM Vulnerability in NetApp Products | NetApp Product Security
    fix(ci): lock file validation · npm/cli@457e0ae · GitHub
    [SECURITY] Fedora 35 Update: nodejs-16.14.0-2.fc35 - package-announce - Fedora Mailing-Lists

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE

 

[ghost]

CodeSee Review Map:

Review in an interactive map

View more CodeSee Maps

Legend