CVE-2019-5484
Arbitrary File Write vulnerability in bower (npm)
What is CVE-2019-5484 About?
This arbitrary file write vulnerability in `bower` exists due to improper validation of symbolic links during archive extraction. It allows an attacker to write files outside of the intended extraction directory. Exploitation is possible by crafting a malicious archive containing symbolic links.
Affected Software
Technical Details
The vulnerability in bower versions prior to 1.8.8 stems from an insecure design flaw during the extraction of archive files (e.g., .zip, .tar). Specifically, bower fails to properly verify that symbolic links (symlinks) contained within an archive do not resolve to paths outside of the designated extraction root directory. An attacker can craft a malicious archive that includes a symbolic link pointing to an arbitrary location on the file system (e.g., /etc/passwd). When bower extracts this archive, it will create the symlink, and any subsequent files that overwrite the symlink's target could then be written to the arbitrary location, leading to an arbitrary file write.
What is the Impact of CVE-2019-5484?
Successful exploitation may allow attackers to write arbitrary files to restricted locations on the file system, potentially leading to privilege escalation, arbitrary code execution, or denial of service by overwriting critical system files.
What is the Exploitability of CVE-2019-5484?
Exploitation requires an attacker to provide a specially crafted package archive (e.g., a .zip or .tar file) containing malicious symbolic links. This typically involves an attacker controlling the package source that bower is instructed to install. No authentication is required, as the vulnerability resides in the package extraction mechanism. Privilege requirements depend on the context in which bower is run; if run with elevated privileges, the impact of arbitrary file write is significantly higher. This is usually a local vulnerability from the perspective of file system access, but it can be triggered remotely if an attacker can host a malicious package that bower attempts to download and extract. The complexity of crafting such an archive is moderate.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-5484?
Available Upgrade Options
- bower
- <1.8.8 → Upgrade to 1.8.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://hackerone.com/reports/473811
- https://snyk.io/blog/severe-security-vulnerability-in-bowers-zip-archive-extraction
- https://hackerone.com/reports/473811
- https://snyk.io/blog/severe-security-vulnerability-in-bowers-zip-archive-extraction
- https://github.com/bower/bower/commit/45c6bfa86f6e57731b153baca9e0b41a1cc699e3
- https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E
- https://www.npmjs.com/advisories/776
- https://osv.dev/vulnerability/GHSA-p6mr-pxg4-68hx
- https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E
- https://github.com/bower/bower/commit/45c6bfa86f6e57731b153baca9e0b41a1cc699e3
What are Similar Vulnerabilities to CVE-2019-5484?
Similar Vulnerabilities: CVE-2007-0010 , CVE-2018-1000007 , CVE-2019-16782 , CVE-2022-37965 , CVE-2020-28243
