CVE-2019-5484

Name
CVE-2019-5484
Description
Bower before 1.8.8 has a path traversal vulnerability permitting file write in arbitrary locations via install command, which allows attackers to write arbitrary files when a malicious package is extracted.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Patch https://github.com/bower/bower/commit/45c6bfa86f6e57731b153baca9e0b41a1cc699e3
Exploit https://hackerone.com/reports/473811
Exploit https://snyk.io/blog/severe-security-vulnerability-in-bowers-zip-archive-extraction
MLIST https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E
MLIST https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:bower:bower:*:*:*:*:*:node.js:*:* bower >= None < 1.8.8

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
bower 3.15-community 0.13-r0 Clayton Craft <clayton@craftyguy.net> possibly vulnerable
bower 3.16-community 0.13-r1 Clayton Craft <clayton@craftyguy.net> possibly vulnerable
bower 3.17-community 1.0-r0 Clayton Craft <clayton@craftyguy.net> possibly vulnerable
bower edge-community 1.0-r2 Clayton Craft <clayton@craftyguy.net> possibly vulnerable
bower 3.18-community 1.0-r1 Clayton Craft <clayton@craftyguy.net> possibly vulnerable
bower 3.19-community 1.0-r2 Clayton Craft <clayton@craftyguy.net> possibly vulnerable