Ubuntu 16.04 ESM / 18.04 ESM : npm vulnerability (USN-4785-1)

The remote Ubuntu 16.04 ESM / 18.04 ESM host has a package installed that is affected by a vulnerability as referenced in the USN-4785-1 advisory. It was discovered that the npm command-line interface mishandled certain sensitive information. An attacker could use this vulnerability to collect...

Security Bulletin: Current Releases of IBM® SDK for Node.js™ are affected by CVE-2016-3956

Summary HTTP bearer token leak in the npm package management tool Vulnerability Details CVE-ID: CVE-2016-3956 Description: npm could allow a remote attacker to obtain sensitive information, caused by the unintentional leakage of bearer tokens from the command-line interface. By setting up an HTTP...

Security Bulletin: Node.js Package Manager (npm) Bearer Token Vulnerability affects IBM Rational Application Developer for WebSphere Software included in Rational Developer for i and Rational Developer for AIX and Linux (CVE-2016-3956)

Summary Portions of IBM Rational Application Developer for WebSphere Software are shipped as a component of Rational Developer for i RPG and COBOL + Modernization Tools, Java and EGL editions, and Rational Developer for AIX and Linux. A vulnerability in the Node Package Manager's use of HTTP bear...

Security Bulletin: Node.js Package Manager (npm) Bearer Token Vulnerability affects IBM Rational Application Developer for WebSphere Software (CVE-2016-3956)

Summary A vulnerability in the Node Package Manager's use of HTTP bearer tokens affects IBM SDK for Node.js. Vulnerability Details CVEID: CVE-2016-3956 DESCRIPTION: npm could allow a remote attacker to obtain sensitive information, caused by the unintentional leakage of bearer tokens from the...

Design/Logic Flaw

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-3956. Reason: This candidate is a duplicate of CVE-2016-3956. Notes: All CVE users should reference CVE-2016-3956 instead of this candidate. All references and descriptions in this candidate have been removed to prevent...

CVE-2016-1000014

CVE-2016-1000014 is a duplicate of CVE-2016-3956; the CVE entry has been superseded and should reference CVE-2016-3956 instead. The connected documents describe the actual vulnerability as an HTTP Bearer Token leakage in npm, enabling a remote attacker to obtain tokens and impersonate users. IBM ...

CVE-2016-3956

CVE-2016-3956 describes an HTTP bearer token leak in the npm CLI, allowing a remote attacker to obtain sensitive information via Authorization headers. Affected npm versions include prior to 2.15.1 and 3.x prior to 3.8.3, used with Node.js 0.10 (before 0.10.44), 0.12 (before 0.12.13), 4 (before 4...