PT-2018-6109 · Npm · Node-Sass

Published

2018-06-07

Updated

2020-09-01

CVE-2017-16080

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions: nodesass (affected versions not specified)

Description: The issue concerns a malicious module named nodesass that was published with the intent to hijack environment variables, sending them to attacker-controlled locations. All versions of this package have been unpublished from the npm registry.

Recommendations: Delete the nodesass package Clear your npm cache Ensure nodesass is not present in any other package.json files on your system Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables Review any service which may have been exposed via credentials in your environment variables, such as a database, for indicators of compromise

Fix

RCE

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-506CWE-200

Related Identifiers

CVE-2017-16080

GHSA-XFMW-2VMM-579C

Affected Products

Node-Sass

PT-2018-6109 · Npm · Node-Sass

CVE-2017-16080

Weakness Enumeration

Related Identifiers

Affected Products

References · 4