CVE-2016-3956

Published: 02 July 2016

The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.

From the Ubuntu security team

It was discovered that the npm command-line interface mishandled certain sensitive information. An attacker could use this vulnerability to collect authentication information that could be used to impersonate other users.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
npm
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(3.8.3)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(3.8.3)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)
Patches:
Upstream: https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401
Upstream: https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29