Vulnerability Details : CVE-2022-29244
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.
Vulnerability category: Information leak
Products affected by CVE-2022-29244
- cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
- cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-29244
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-29244
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2022-29244
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-29244
-
https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish
cli/workspaces/libnpmpublish at latest · npm/cli · GitHubProduct;Third Party Advisory
-
https://github.com/nodejs/node/pull/43210
deps: upgrade npm to 8.11.0 by npm-cli-bot · Pull Request #43210 · nodejs/node · GitHubPatch;Third Party Advisory
-
https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52
Packing does not respect root-level ignore files in workspaces · Advisory · npm/cli · GitHubThird Party Advisory
-
https://github.com/npm/cli/releases/tag/v8.11.0
Release v8.11.0 · npm/cli · GitHubRelease Notes;Third Party Advisory
-
https://github.com/npm/npm-packlist
GitHub - npm/npm-packlist: Walk through a folder and figure out what goes in an npm packageProduct;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20220722-0007/
CVE-2022-29244 NPM Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://github.com/npm/cli/tree/latest/workspaces/libnpmpack
cli/workspaces/libnpmpack at latest · npm/cli · GitHubProduct;Third Party Advisory
-
https://github.com/nodejs/node/releases/tag/v16.15.1
Release 2022-06-01, Version 16.15.1 'Gallium' (LTS), @BethGriggs prepared by @juanarbol · nodejs/node · GitHubRelease Notes;Third Party Advisory
-
https://github.com/nodejs/node/releases/tag/v17.9.1
Release 2022-06-01, Version 17.9.1 (Current), @ruyadorno · nodejs/node · GitHubRelease Notes;Third Party Advisory
-
https://github.com/nodejs/node/releases/tag/v18.3.0
Release 2022-06-01, Version 18.3.0 (Current), @bengl · nodejs/node · GitHubRelease Notes;Third Party Advisory
Jump to