---

CVE-2021-43616 - log back

CVE-2021-43616 edited at 13 Nov 2021 19:26:18
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Insufficient validation
Description	+ The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.
References	+ https://github.com/npm/cli/issues/2701 + https://docs.npmjs.com/cli/v7/commands/npm-ci/
Notes

CVE-2021-43616 created at 13 Nov 2021 19:24:31