PT-2020-14180 · Npm+6 · Npm Cli+6

Claudiahdz

·

Published

2020-07-07

·

Updated

2024-06-15

·

CVE-2020-15095

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions npm CLI versions prior to 6.14.6
Description The issue concerns an information exposure vulnerability through log files. The npm CLI supports URLs in the format of <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. However, the password value is not redacted and is printed to stdout and also to any generated log files. This could potentially expose sensitive information.
Recommendations For versions prior to 6.14.6, update to version 6.14.6 or later to resolve the issue. As a temporary workaround, consider restricting access to log files to minimize the risk of information exposure. Avoid using the password variable in URLs until the issue is resolved.

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-532

Related Identifiers

ALSA-2020:4272
ALSA-2021:0548
ALT-PU-2020-2490
ALT-PU-2020-2925
ALT-PU-2022-3069
CESA-2020_4272
CESA-2021_0548
CVE-2020-15095
GHSA-93F3-23RQ-PJFP
OESA-2022-1769
OPENSUSE-SU-2020:1616-1
OPENSUSE-SU-2020:1644-1
OPENSUSE-SU-2020:1660-1
OPENSUSE-SU-2020_1616-1
OPENSUSE-SU-2020_1644-1
OPENSUSE-SU-2020_1660-1
OPENSUSE-SU-2024:11096-1
RHSA-2020:4272
RHSA-2020:4903
RHSA-2020:5086
RHSA-2020_4272
RHSA-2021:0521
RHSA-2021:0548
RHSA-2021_0548
RLSA-2020:4272
RLSA-2021:0548
SUSE-SU-2020:2800-1
SUSE-SU-2020:2812-1
SUSE-SU-2020:2813-1
SUSE-SU-2020:2823-1
SUSE-SU-2020:2829-1
SUSE-SU-2020:2870-1
SUSE-SU-2020_2812-1
SUSE-SU-2020_2813-1
SUSE-SU-2020_2823-1
SUSE-SU-2020_2829-1
SUSE-SU-2020_2870-1

Affected Products

Alt Linux
Almalinux
Centos
Red Hat
Rocky Linux
Suse
Npm Cli