The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.
References
Link | Resource |
---|---|
http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability | Vendor Advisory |
http://www-01.ibm.com/support/docview.wss?uid=swg21980827 | Vendor Advisory |
https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29 | Patch Third Party Advisory |
https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401 | Patch Third Party Advisory |
https://github.com/npm/npm/issues/8380 | Third Party Advisory |
https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/ | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
15 Jun 2021, 16:30
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:npm:npm:3.3.5:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.7.5:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.3.6:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.3.9:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.5.2:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.6.0:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.3.3:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.3.4:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:*:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.7.1:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.5.0:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.4.1:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.7.0:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.5.3:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.3.10:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.5.1:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.3.12:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.7.4:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.0.0:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.8.1:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.3.8:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.1.3:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.3.7:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.3.2:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.2.2:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.1.2:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.7.2:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.8.0:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.5.4:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.7.3:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.3.0:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.1.1:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:npm:npm:3.3.11:*:*:*:*:*:*:* |
cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:* |
References | (CONFIRM) https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29 - Patch, Third Party Advisory | |
References | (CONFIRM) https://github.com/npm/npm/issues/8380 - Third Party Advisory | |
References | (CONFIRM) https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401 - Patch, Third Party Advisory | |
References | (CONFIRM) http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability - Vendor Advisory |
Information
Published : 2016-07-02 14:59
Updated : 2024-02-04 18:53
NVD link : CVE-2016-3956
Mitre link : CVE-2016-3956
CVE.ORG link : CVE-2016-3956
JSON object : View
Products Affected
npmjs
- npm
nodejs
- node.js
ibm
- sdk
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor