A vulnerability in the Node Package Manager’s use of HTTP bearer tokens affects IBM SDK for Node.js.
CVEID:CVE-2016-3956
DESCRIPTION: npm could allow a remote attacker to obtain sensitive information, caused by the unintentional leakage of bearer tokens from the command-line interface. By setting up an HTTP server and collecting token information, an attacker could exploit this vulnerability to impersonate the user and do anything the owner of the information could, including publishing new versions of packages.
CVSS Base Score: 9.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/112153> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
IBM Rational Application Developer for WebSphere Software v9.1 and v9.5
Rational Application Developer
| 9.1.x and 9.5.x| PI60886|
Installation instructions for applying the update to the Cordova platform in the product can be found here: