{"id":"GHSA-ph34-pc88-72gc","summary":"Incorrect Permission Assignment for Critical Resource in NPM","details":"An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as \"next: 5.7.0\" and therefore automatically installed by an \"npm upgrade -g npm\" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a \"correctMkdir\" issue.","aliases":["CVE-2018-7408"],"modified":"2026-02-04T04:05:05.167450Z","published":"2022-05-13T01:53:21Z","related":["CGA-f896-4842-p6h5"],"database_specific":{"github_reviewed":true,"severity":"HIGH","github_reviewed_at":"2022-06-28T23:53:12Z","nvd_published_at":"2018-02-22T18:29:00Z","cwe_ids":["CWE-732"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7408"},{"type":"WEB","url":"https://github.com/npm/npm/issues/19883"},{"type":"WEB","url":"https://github.com/npm/npm/commit/74e149da6efe6ed89477faa81fef08eee7999ad0"},{"type":"PACKAGE","url":"github.com/npm/cli"},{"type":"WEB","url":"http://blog.npmjs.org/post/171169301000/v571"}],"affected":[{"package":{"name":"npm","ecosystem":"npm","purl":"pkg:npm/npm"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"5.7.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-ph34-pc88-72gc/GHSA-ph34-pc88-72gc.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}