Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.
References
Link | Resource |
---|---|
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html | Mailing List Third Party Advisory |
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html | Mailing List Third Party Advisory |
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html | Mailing List Third Party Advisory |
https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07 | Release Notes Third Party Advisory |
https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc | Patch Third Party Advisory |
https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp | Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/ | |
https://security.gentoo.org/glsa/202101-07 | Third Party Advisory |
Configurations
History
02 Aug 2022, 20:44
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:* |
|
References | (GENTOO) https://security.gentoo.org/glsa/202101-07 - Third Party Advisory | |
References | (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html - Mailing List, Third Party Advisory | |
References | (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html - Mailing List, Third Party Advisory | |
References | (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/ - Mailing List, Third Party Advisory |
Information
Published : 2020-07-07 19:15
Updated : 2024-02-04 21:00
NVD link : CVE-2020-15095
Mitre link : CVE-2020-15095
CVE.ORG link : CVE-2020-15095
JSON object : View
Products Affected
npmjs
- npm
fedoraproject
- fedora
opensuse
- leap
CWE
CWE-532
Insertion of Sensitive Information into Log File