CVE-2016-3956
Published: 2 July 2016
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.
From the Ubuntu Security Team
It was discovered that the npm command-line interface mishandled certain sensitive information. An attacker could use this vulnerability to collect authentication information that could be used to impersonate other users.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
npm Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
| bionic |
Released
(3.5.2-0ubuntu4.1.18.04.1~esm1)
Available with Ubuntu Pro |
|
| cosmic |
Not vulnerable
(3.8.3)
|
|
| disco |
Not vulnerable
(3.8.3)
|
|
| eoan |
Not vulnerable
(3.8.3)
|
|
| focal |
Not vulnerable
(3.8.3)
|
|
| groovy |
Not vulnerable
(3.8.3)
|
|
| hirsute |
Not vulnerable
(3.8.3)
|
|
| impish |
Not vulnerable
(3.8.3)
|
|
| jammy |
Not vulnerable
(3.8.3)
|
|
| kinetic |
Not vulnerable
(3.8.3)
|
|
| lunar |
Not vulnerable
(3.8.3)
|
|
| precise |
Ignored
(end of life)
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Needs triage
|
|
| wily |
Ignored
(end of life)
|
|
| xenial |
Released
(3.5.2-0ubuntu4.1.16.04.1~esm1)
Available with Ubuntu Pro |
|
| yakkety |
Ignored
(end of life)
|
|
| zesty |
Ignored
(end of life)
|
|
|
Patches: upstream: https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401 upstream: https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References
- https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/
- https://github.com/npm/npm/issues/8380
- http://www-01.ibm.com/support/docview.wss?uid=swg21980827
- http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability
- https://ubuntu.com/security/notices/USN-4785-1
- https://www.cve.org/CVERecord?id=CVE-2016-3956
- NVD
- Launchpad
- Debian