Candidate: CVE-2018-7408
PublicDate: 2018-02-22 18:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7408
 https://github.com/npm/npm/commit/74e149da6efe6ed89477faa81fef08eee7999ad0
 https://github.com/npm/npm/issues/19883
Description:
 An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as
 "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g
 npm" command, and also announced in the vendor's blog without mention of
 pre-release status). It might allow local users to bypass intended
 filesystem access restrictions because ownerships of /etc and /usr
 directories are being changed unexpectedly, related to a "correctMkdir"
 issue.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH]


Patches_npm:
upstream_npm: not-affected (code not present)
precise/esm_npm: DNE
trusty_npm: not-affected (code not present)
trusty/esm_npm: not-affected (code not present)
xenial_npm: not-affected (code not present)
artful_npm: ignored (reached end-of-life)
bionic_npm: not-affected (code not present)
cosmic_npm: not-affected (code not present)
devel_npm: not-affected (code not present)