Home

CVE-2022-29244

Description

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.

Risk Information

Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
1.074

Associated Vulnerability

VulnerabilityOS Platform
Multiple Vulnerabilities are affected in IBM WebMethods Integration Server 10.15Windows
Multiple Vulnerabilities are affected in IBM WebMethods Integration Server 10.11Windows
Multiple Vulnerabilities are affected in IBM WebMethods Integration Server 11.1Windows
Multiple Vulnerabilities are affected in IBM App Connect Enterprise 11.0.0.18Windows
Multiple Vulnerabilities are affected in IBM App Connect Enterprise 12.0.4.0Windows
Nodejs update (ELSA-2022-6595) nodejs-16.16.0-1.el9_0.x86_64.rpmLinux
Nodejs-docs update (ELSA-2022-6595) nodejs-docs-16.16.0-1.el9_0.noarch.rpmLinux
Nodejs-full-i18n update (ELSA-2022-6595) nodejs-full-i18n-16.16.0-1.el9_0.x86_64.rpmLinux
Nodejs-libs update (ELSA-2022-6595) nodejs-libs-16.16.0-1.el9_0.i686.rpmLinux
Nodejs-libs update (ELSA-2022-6595) nodejs-libs-16.16.0-1.el9_0.x86_64.rpmLinux
Nodejs-nodemon update (ELSA-2022-6595) nodejs-nodemon-2.0.19-1.el9_0.noarch.rpmLinux
Npm update (ELSA-2022-6595) npm-8.11.0-1.16.16.0.1.el9_0.x86_64.rpmLinux
(RHSA-2022:6595) nodejs and nodejs-nodemon security and bug fix update nodejs-16.16.0-1.el9_0.x86_64.rpmLinux
(RHSA-2022:6595) nodejs and nodejs-nodemon security and bug fix update nodejs-debugsource-16.16.0-1.el9_0.i686.rpmLinux
(RHSA-2022:6595) nodejs and nodejs-nodemon security and bug fix update nodejs-debugsource-16.16.0-1.el9_0.x86_64.rpmLinux
(RHSA-2022:6595) nodejs and nodejs-nodemon security and bug fix update nodejs-docs-16.16.0-1.el9_0.noarch.rpmLinux
(RHSA-2022:6595) nodejs and nodejs-nodemon security and bug fix update nodejs-full-i18n-16.16.0-1.el9_0.x86_64.rpmLinux
(RHSA-2022:6595) nodejs and nodejs-nodemon security and bug fix update nodejs-libs-16.16.0-1.el9_0.i686.rpmLinux
(RHSA-2022:6595) nodejs and nodejs-nodemon security and bug fix update nodejs-libs-16.16.0-1.el9_0.x86_64.rpmLinux
(RHSA-2022:6595) nodejs and nodejs-nodemon security and bug fix update nodejs-nodemon-2.0.19-1.el9_0.noarch.rpmLinux
(RHSA-2022:6595) nodejs and nodejs-nodemon security and bug fix update npm-8.11.0-1.16.16.0.1.el9_0.x86_64.rpmLinux
Npm update (ELSA-2025-8514) npm-10.8.2-1.20.19.2.1.module+el8.10.0+90611+29f3ae1e.x86_64.rpmLinux
Nodejs-packaging-bundler update (ELSA-2025-8514) nodejs-packaging-bundler-2021.06-4.module+el8.10.0+90611+29f3ae1e.noarch.rpmLinux
Nodejs-packaging update (ELSA-2025-8514) nodejs-packaging-2021.06-4.module+el8.10.0+90611+29f3ae1e.noarch.rpmLinux
Nodejs-nodemon update (ELSA-2025-8514) nodejs-nodemon-3.0.1-1.module+el8.10.0+90611+29f3ae1e.noarch.rpmLinux
Nodejs-full-i18n update (ELSA-2025-8514) nodejs-full-i18n-20.19.2-1.module+el8.10.0+90611+29f3ae1e.x86_64.rpmLinux
Nodejs-docs update (ELSA-2025-8514) nodejs-docs-20.19.2-1.module+el8.10.0+90611+29f3ae1e.noarch.rpmLinux
Nodejs-devel update (ELSA-2025-8514) nodejs-devel-20.19.2-1.module+el8.10.0+90611+29f3ae1e.x86_64.rpmLinux
Nodejs update (ELSA-2025-8514) nodejs-20.19.2-1.module+el8.10.0+90611+29f3ae1e.x86_64.rpmLinux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234