NodeJS/bower/1.2.5
The browser package manager
https://www.npmjs.com/package/bower
MIT
3 Security Vulnerabilities
Symlink Arbitrary File Overwrite in bower
Published date: 2019-09-17T23:21:34Z
CVE: CVE-2019-5484
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2019-5484
- https://github.com/advisories/GHSA-p6mr-pxg4-68hx
- https://github.com/bower/bower/commit/45c6bfa86f6e57731b153baca9e0b41a1cc699e3
- https://hackerone.com/reports/473811
- https://snyk.io/blog/severe-security-vulnerability-in-bowers-zip-archive-extraction
- https://github.com/nodejs/security-wg/blob/master/vuln/npm/487.json
- https://www.npmjs.com/advisories/776
- https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E
- https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E
Versions of bower
prior to 1.8.8 are affected by an arbitrary file write vulnerability. The vulnerability occurs because bower
does not verify that extracted symbolic links do not resolve to targets outside of the extraction root directory.
Recommendation
Update to version 1.8.8 or later
Affected versions:
["0.1.0", "0.1.2", "0.1.3", "0.2.0", "0.3.0", "0.3.1", "0.3.2", "0.4.0", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.6.2", "0.6.3", "0.6.4", "0.6.5", "0.6.6", "0.6.7", "0.6.8", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.8.5", "0.8.6", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.1.1", "1.1.2", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.3.0", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.3.7", "1.3.8", "1.3.9", "1.3.10", "1.3.11", "1.3.12", "1.4.0", "1.4.1", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.6.2", "1.6.3", "1.6.4", "1.6.5", "1.5.4", "1.4.2", "1.6.6", "1.6.7", "1.6.8", "1.6.9", "1.7.0", "1.7.1", "1.7.2", "1.7.5", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8.0", "1.8.2", "1.7.10", "1.8.3", "1.8.4", "1.8.6", "1.8.7"]
Secure versions:
[1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.8.12, 1.8.13, 1.8.14]
Recommendation:
Update to version 1.8.14.
Arbitrary File Write Through Archive Extraction
Published date: 2019-01-24
attackers can write arbitrary files when a malicious archive is extracted.
Affected versions:
["0.1.0", "0.1.2", "0.1.3", "0.2.0", "0.3.0", "0.3.1", "0.3.2", "0.4.0", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.6.2", "0.6.3", "0.6.4", "0.6.5", "0.6.6", "0.6.7", "0.6.8", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.8.5", "0.8.6", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.1.1", "1.1.2", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.3.0", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.3.7", "1.3.8", "1.3.9", "1.3.10", "1.3.11", "1.3.12", "1.4.0", "1.4.1", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.6.2", "1.6.3", "1.6.4", "1.6.5", "1.5.4", "1.4.2", "1.6.6", "1.6.7", "1.6.8", "1.6.9", "1.7.0", "1.7.1", "1.7.2", "1.7.5", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8.0", "1.8.2", "1.7.10", "1.8.3", "1.8.4", "1.8.6"]
Secure versions:
[1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.8.12, 1.8.13, 1.8.14]
Recommendation:
Update bower to latest patch version >=1.8.7
Path Traversal
Published date: 2019-01-26
CVEs: ["CVE-2019-5484"]
CVSS Score: 8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
[bower] Arbitrary File Write through improper validation of symlinks while package extraction
Affected versions:
["0.1.0", "0.1.2", "0.1.3", "0.2.0", "0.3.0", "0.3.1", "0.3.2", "0.4.0", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.6.2", "0.6.3", "0.6.4", "0.6.5", "0.6.6", "0.6.7", "0.6.8", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.8.5", "0.8.6", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.1.1", "1.1.2", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.3.0", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.3.7", "1.3.8", "1.3.9", "1.3.10", "1.3.11", "1.3.12", "1.4.0", "1.4.1", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.6.2", "1.6.3", "1.6.4", "1.6.5", "1.5.4", "1.4.2", "1.6.6", "1.6.7", "1.6.8", "1.6.9", "1.7.0", "1.7.1", "1.7.2", "1.7.5", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8.0", "1.8.2", "1.7.10", "1.8.3", "1.8.4", "1.8.6", "1.8.7"]
Secure versions:
[1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.8.12, 1.8.13, 1.8.14]
Recommendation:
Update bower module to version >=1.8.8
99 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
0.1.0 | MIT | 3 | 2012-09-04 - 23:58 | over 11 years |
0.1.2 | MIT | 3 | 2012-09-16 - 21:38 | over 11 years |
0.1.3 | MIT | 3 | 2012-09-18 - 17:38 | over 11 years |
0.2.0 | MIT | 3 | 2012-09-25 - 20:56 | over 11 years |
0.3.0 | MIT | 3 | 2012-10-22 - 22:41 | over 11 years |
0.3.1 | MIT | 3 | 2012-10-31 - 17:59 | over 11 years |
0.3.2 | MIT | 3 | 2012-11-04 - 18:42 | over 11 years |
0.4.0 | MIT | 3 | 2012-11-12 - 01:12 | over 11 years |
0.5.0 | MIT | 3 | 2012-11-19 - 20:20 | over 11 years |
0.5.1 | MIT | 3 | 2012-11-20 - 21:29 | over 11 years |
0.6.0 | MIT | 3 | 2012-11-21 - 23:31 | over 11 years |
0.6.1 | MIT | 3 | 2012-11-23 - 01:44 | over 11 years |
0.6.2 | MIT | 3 | 2012-11-23 - 09:24 | over 11 years |
0.6.3 | MIT | 3 | 2012-11-24 - 15:37 | over 11 years |
0.6.4 | MIT | 3 | 2012-11-30 - 00:52 | over 11 years |
0.6.5 | MIT | 3 | 2012-12-01 - 14:37 | over 11 years |
0.6.6 | MIT | 3 | 2012-12-03 - 22:34 | over 11 years |
0.6.7 | MIT | 3 | 2012-12-10 - 17:57 | over 11 years |
0.6.8 | MIT | 3 | 2012-12-14 - 11:05 | over 11 years |
0.7.0 | MIT | 3 | 2013-02-01 - 00:42 | over 11 years |
0.7.1 | MIT | 3 | 2013-02-18 - 22:04 | about 11 years |
0.8.0 | MIT | 3 | 2013-02-24 - 16:23 | about 11 years |
0.8.1 | MIT | 3 | 2013-02-25 - 23:40 | about 11 years |
0.8.2 | MIT | 3 | 2013-02-26 - 21:04 | about 11 years |
0.8.3 | MIT | 3 | 2013-02-27 - 10:09 | about 11 years |
0.8.4 | MIT | 3 | 2013-03-01 - 11:49 | about 11 years |
0.8.5 | MIT | 3 | 2013-03-04 - 01:54 | about 11 years |
0.8.6 | MIT | 3 | 2013-04-03 - 22:54 | about 11 years |
0.9.0 | MIT | 3 | 2013-04-25 - 22:18 | about 11 years |
0.9.1 | MIT | 3 | 2013-04-27 - 11:04 | about 11 years |
0.9.2 | MIT | 3 | 2013-04-27 - 12:01 | about 11 years |
0.10.0 | MIT | 3 | 2013-07-23 - 00:08 | almost 11 years |
1.0.0 | MIT | 3 | 2013-07-23 - 00:13 | almost 11 years |
1.0.1 | MIT | 3 | 2013-07-29 - 22:59 | almost 11 years |
1.0.2 | MIT | 3 | 2013-07-29 - 23:18 | almost 11 years |
1.0.3 | MIT | 3 | 2013-07-30 - 08:00 | almost 11 years |
1.1.0 | MIT | 3 | 2013-08-03 - 16:32 | almost 11 years |
1.1.1 | MIT | 3 | 2013-08-08 - 13:14 | almost 11 years |
1.1.2 | MIT | 3 | 2013-08-10 - 15:11 | almost 11 years |
1.2.0 | MIT | 3 | 2013-08-19 - 07:44 | over 10 years |
1.2.1 | MIT | 3 | 2013-08-19 - 18:21 | over 10 years |
1.2.2 | MIT | 3 | 2013-08-20 - 22:33 | over 10 years |
1.2.3 | MIT | 3 | 2013-08-22 - 18:10 | over 10 years |
1.2.4 | MIT | 3 | 2013-08-23 - 22:13 | over 10 years |
1.2.5 | MIT | 3 | 2013-08-28 - 21:07 | over 10 years |
1.2.6 | MIT | 3 | 2013-09-04 - 01:44 | over 10 years |
1.2.7 | MIT | 3 | 2013-09-29 - 22:07 | over 10 years |
1.2.8 | MIT | 3 | 2013-12-02 - 13:45 | over 10 years |
1.3.0 | MIT | 3 | 2014-03-11 - 11:59 | about 10 years |
1.3.1 | MIT | 3 | 2014-03-11 - 23:39 | about 10 years |
1.3.2 | MIT | 3 | 2014-04-07 - 09:30 | about 10 years |
1.3.3 | MIT | 3 | 2014-04-24 - 20:58 | about 10 years |
1.3.4 | MIT | 3 | 2014-06-02 - 14:22 | almost 10 years |
1.3.5 | MIT | 3 | 2014-06-08 - 10:15 | almost 10 years |
1.3.6 | MIT | 3 | 2014-07-02 - 13:07 | almost 10 years |
1.3.7 | MIT | 3 | 2014-07-04 - 12:07 | almost 10 years |
1.3.8 | MIT | 3 | 2014-07-11 - 20:49 | almost 10 years |
1.3.9 | MIT | 3 | 2014-08-06 - 19:38 | almost 10 years |
1.3.10 | MIT | 3 | 2014-09-13 - 14:52 | over 9 years |
1.3.11 | MIT | 3 | 2014-09-18 - 00:25 | over 9 years |
1.3.12 | MIT | 3 | 2014-09-28 - 16:39 | over 9 years |
1.4.0 | MIT | 3 | 2015-03-30 - 22:50 | about 9 years |
1.4.1 | MIT | 3 | 2015-04-01 - 07:40 | about 9 years |
1.5.0 | MIT | 3 | 2015-08-23 - 13:27 | over 8 years |
1.5.1 | MIT | 3 | 2015-08-23 - 14:38 | over 8 years |
1.5.2 | MIT | 3 | 2015-08-25 - 20:39 | over 8 years |
1.5.3 | MIT | 3 | 2015-09-24 - 12:04 | over 8 years |
1.6.2 | MIT | 3 | 2015-10-15 - 14:22 | over 8 years |
1.6.3 | MIT | 3 | 2015-10-16 - 09:49 | over 8 years |
1.6.4 | MIT | 3 | 2015-10-24 - 10:08 | over 8 years |
1.6.5 | MIT | 3 | 2015-10-24 - 10:18 | over 8 years |
1.5.4 | MIT | 3 | 2015-11-24 - 17:03 | over 8 years |
1.4.2 | MIT | 3 | 2015-11-24 - 17:08 | over 8 years |
1.6.6 | MIT | 3 | 2015-11-25 - 15:46 | over 8 years |
1.6.7 | MIT | 3 | 2015-11-26 - 11:32 | over 8 years |
1.6.8 | MIT | 3 | 2015-11-27 - 14:57 | over 8 years |
1.6.9 | MIT | 3 | 2015-12-04 - 21:27 | over 8 years |
1.7.0 | MIT | 3 | 2015-12-07 - 12:52 | over 8 years |
1.7.1 | MIT | 3 | 2015-12-11 - 20:46 | over 8 years |
1.7.2 | MIT | 3 | 2015-12-31 - 02:09 | over 8 years |
1.7.5 | MIT | 3 | 2016-01-26 - 21:42 | over 8 years |
1.7.6 | MIT | 3 | 2016-01-27 - 10:59 | over 8 years |
1.7.7 | MIT | 3 | 2016-01-27 - 17:23 | over 8 years |
1.7.8 | MIT | 3 | 2016-04-04 - 17:14 | about 8 years |
1.7.9 | MIT | 3 | 2016-04-05 - 11:54 | about 8 years |
1.8.0 | MIT | 3 | 2016-11-07 - 10:01 | over 7 years |
1.8.2 | MIT | 3 | 2017-09-13 - 16:46 | over 6 years |
1.7.10 | MIT | 3 | 2017-09-13 - 17:41 | over 6 years |
1.8.3 | MIT | 3 | 2018-03-28 - 18:10 | about 6 years |
1.8.4 | MIT | 3 | 2018-03-28 - 19:04 | about 6 years |
1.8.6 | MIT | 3 | 2019-01-17 - 13:38 | over 5 years |
1.8.7 | MIT | 2 | 2019-01-17 - 22:39 | over 5 years |
1.8.8 | MIT | 2019-01-23 - 21:25 | over 5 years | |
1.8.9 | MIT | 2021-01-14 - 16:26 | over 3 years | |
1.8.10 | MIT | 2021-01-14 - 17:46 | over 3 years | |
1.8.11 | MIT | 2021-01-18 - 11:02 | over 3 years | |
1.8.12 | MIT | 2021-01-18 - 15:45 | over 3 years | |
1.8.13 | MIT | 2021-11-15 - 15:10 | over 2 years | |
1.8.14 | MIT | 2022-03-14 - 15:41 | about 2 years |