PT-2016-5777 · Npm+3 · Npm+3

James Taylor

Published

2016-04-13

Updated

2021-06-15

CVE-2016-3956

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions npm versions prior to 2.15.1 npm versions 3.x prior to 3.8.3 Node.js versions 0.10 prior to 0.10.44 Node.js versions 0.12 prior to 0.12.13 Node.js versions 4 prior to 4.4.2 Node.js versions 5 prior to 5.10.0

Description The issue allows remote HTTP servers to obtain sensitive information by reading Authorization headers, as the CLI in npm includes bearer tokens with arbitrary requests. An attacker could create an HTTP server to collect tokens and compromise the user's token by causing the npm CLI to make a request to that server. This compromised token could be used to perform actions that the user could do, including publishing new packages.

Recommendations Update npm with npm install npm@latest -g Revoke your Tokens Enable Two-Factor Authentication

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

ALT-PU-2016-1328

CVE-2016-3956

GHSA-M5H6-HR3Q-22H5

USN-4785-1

Affected Products

Alt Linux

Node.Js

Ubuntu

Npm

PT-2016-5777 · Npm+3 · Npm+3

CVE-2016-3956

Weakness Enumeration

Related Identifiers

Affected Products

References · 18