GoogleOSV:GHSA-93F3-23RQ-PJFPnpm CLI exposing sensitive information through logs
4.4 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
0.0005 Low
EPSS
Percentile
15.3%
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.
References
lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html
lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html
lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html
github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07
github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc
github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp
lists.fedoraproject.org/archives/list/[email protected]/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6
nvd.nist.gov/vuln/detail/CVE-2020-15095
security.gentoo.org/glsa/202101-07
Related
4.4 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
0.0005 Low
EPSS
Percentile
15.3%