阿里云漏洞库

漏洞描述

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://github.com/nodejs/node/pull/43210
https://github.com/nodejs/node/releases/tag/v16.15.1
https://github.com/nodejs/node/releases/tag/v17.9.1
https://github.com/nodejs/node/releases/tag/v18.3.0
https://github.com/npm/cli/releases/tag/v8.11.0
https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52
https://github.com/npm/cli/tree/latest/workspaces/libnpmpack
https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish
https://github.com/npm/npm-packlist
https://security.netapp.com/advisory/ntap-20220722-0007/

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	npmjs	npm	*	From (including) 7.9.0	Up to (excluding) 8.11.0
	运行在以下环境
	系统	alma_linux_9	npm	*		Up to (excluding) 16.16.0-1.el9_0
	运行在以下环境
	系统	opensuse_Leap_15.3	npm16	*		Up to (excluding) 16.17.0-150300.7.9.1
	运行在以下环境
	系统	opensuse_Leap_15.4	npm16	*		Up to (excluding) 16.17.0-150400.3.6.1
	运行在以下环境
	系统	oracle_9	npm	*		Up to (excluding) 16.16.0-1.el9_0
	运行在以下环境
	系统	redhat_9	npm	*		Up to (excluding) 16.16.0-1.el9_0
	运行在以下环境
	系统	rocky_linux_9	nodejs-nodemon	*		Up to (excluding) 2.0.19-1.el9_0

攻击路径

本地
攻击复杂度

复杂
权限要求

普通权限
影响范围

越权影响
EXP成熟度

未验证
补丁情况

官方补丁
数据保密性

无影响
数据完整性

无影响
服务器危害

无影响
全网数量

N/A

CWE-ID	漏洞类型
CWE-200	信息暴露
NVD-CWE-noinfo

中危 npmjs npm 信息暴露

漏洞描述

解决建议

参考链接

受影响软件情况