Information Disclosure

2020-07-0904:14:13

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

1.9 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

JSON

npm is vulnerable to information disclosure. The URL in the format ://[[:]@][:][:][/] is supported and the password is not redacted when printed to stdout or log files. This allows a user with access to the system to retrieve the usernames and passwords.

CPENameOperatorVersion
npmle5.0.0-2
npmle5.3.0
npmle6.2.0-next.1
npmle6.14.5
npmle6.14.5
rh-nodejs12-nodejseq12.10.0__4.el7
rh-nodejs12-nodejseq12.14.1__1.el7
rh-nodejs10-nodejseq10.10.0__3.el7
rh-nodejs10-nodejseq10.19.0__1.el7
rh-nodejs10-nodejseq10.16.3__4.el7

Name	Operator	Version
npm	le	5.0.0-2
npm	le	5.3.0
npm	le	6.2.0-next.1
npm	le	6.14.5
npm	le	6.14.5
rh-nodejs12-nodejs	eq	12.10.0__4.el7
rh-nodejs12-nodejs	eq	12.14.1__1.el7
rh-nodejs10-nodejs	eq	10.10.0__3.el7
rh-nodejs10-nodejs	eq	10.19.0__1.el7
rh-nodejs10-nodejs	eq	10.16.3__4.el7