Lucene search

K
cvelistGitHub_MCVELIST:CVE-2020-15095
HistoryJul 07, 2020 - 6:55 p.m.

CVE-2020-15095 Sensitive information exposure through logs in npm cli

2020-07-0718:55:12
CWE-532
GitHub_M
www.cve.org
9
npm cli
information exposure
log files
vulnerability
password

CVSS3

4.4

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

5.9

Confidence

High

EPSS

0.001

Percentile

17.2%

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like “<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>”. The password value is not redacted and is printed to stdout and also to any generated log files.

CNA Affected

[
  {
    "product": "cli",
    "vendor": "npm",
    "versions": [
      {
        "status": "affected",
        "version": "< 6.14.6"
      }
    ]
  }
]

CVSS3

4.4

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

5.9

Confidence

High

EPSS

0.001

Percentile

17.2%