diff --git a/advisories/unreviewed/2022/05/GHSA-ppxp-px5q-gwqm/GHSA-ppxp-px5q-gwqm.json b/advisories/unreviewed/2022/05/GHSA-ppxp-px5q-gwqm/GHSA-ppxp-px5q-gwqm.json index 2d4eafc1bf098..2a3294353b411 100644 --- a/advisories/unreviewed/2022/05/GHSA-ppxp-px5q-gwqm/GHSA-ppxp-px5q-gwqm.json +++ b/advisories/unreviewed/2022/05/GHSA-ppxp-px5q-gwqm/GHSA-ppxp-px5q-gwqm.json @@ -1,12 +1,13 @@ { "schema_version": "1.2.0", "id": "GHSA-ppxp-px5q-gwqm", - "modified": "2022-05-24T19:20:36Z", + "modified": "2022-07-18T09:11:47Z", "published": "2022-05-24T19:20:36Z", "aliases": [ "CVE-2021-43616" ], - "details": "The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.", + "summary": "Unchecked dependency verification in ```npm ci```", + "details": "The ```npm ci``` command in @npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.", "severity": [ { "type": "CVSS_V3", @@ -14,7 +15,28 @@ } ], "affected": [ - + { + "package": { + "ecosystem": "npm", + "name": "" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "8.4.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 8.1.3" + } + } ], "references": [ { @@ -48,6 +70,10 @@ { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20211210-0002/" + }, + { + "type": "PACKAGE", + "url": "https://github.com/npm/cli/blob/latest/lib/commands/ci.js" } ], "database_specific": {