First published: Tue Aug 31 2021(Updated: )
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Npmjs Arborist | <2.8.2 | |
Npmjs Npm | <7.20.7 | |
Oracle GraalVM | =20.3.3 | |
Oracle GraalVM | =21.2.0 | |
Siemens Sinec Infrastructure Network Services | <1.0.1.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-39135 is a vulnerability in `@npmcli/arborist` library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface.
The severity of CVE-2021-39135 is high with a CVSS score of 7.8.
The software affected by CVE-2021-39135 are `@npmcli/arborist` versions up to 2.8.2, Oracle GraalVM 20.3.3 and 21.2.0, and Siemens Sinec Infrastructure Network Services up to version 1.0.1.1.
To fix CVE-2021-39135, update `@npmcli/arborist` to a version higher than 2.8.2, upgrade Oracle GraalVM to a version beyond 20.3.3 or 21.2.0, and update Siemens Sinec Infrastructure Network Services to a version higher than 1.0.1.1.
You can find more information about CVE-2021-39135 in the following references: [Siemens advisory](https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf), [GitHub Security Advisory](https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2), [npm package reference](https://www.npmjs.com/package/@npmcli/arborist).