CVE-2020-15095

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.

References

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html

https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07

https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc

https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp

https://lists.fedoraproject.org/archives/list/[email protected]/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/

https://security.gentoo.org/glsa/202101-07

Details

Source: MITRE

Published: 2020-07-07

Updated: 2021-01-11

Type: CWE-532

Risk Information

CVSS v2

Base Score: 1.9

Vector: AV:L/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 3.4

Severity: LOW

CVSS v3

Base Score: 4.4

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 0.8

Severity: MEDIUM

Tenable Plugins

View all (18 total)

IDNameProductFamilySeverity
146802CentOS 8 : nodejs:10 (CESA-2021:0548)NessusCentOS Local Security Checks
high
146638Oracle Linux 8 : nodejs:10 (ELSA-2021-0548)NessusOracle Linux Local Security Checks
high
146547RHEL 8 : nodejs:10 (RHSA-2021:0548)NessusRed Hat Local Security Checks
high
145813CentOS 8 : nodejs:12 (CESA-2020:4272)NessusCentOS Local Security Checks
high
144864GLSA-202101-07 : NodeJS: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
144124Fedora 33 : 1:nodejs (2020-43d5a372fc)NessusFedora Local Security Checks
high
143819SUSE SLES12 Security Update : nodejs10 (SUSE-SU-2020:2823-1)NessusSuSE Local Security Checks
high
143721SUSE SLES15 Security Update : nodejs8 (SUSE-SU-2020:2870-1)NessusSuSE Local Security Checks
medium
143665SUSE SLES12 Security Update : nodejs12 (SUSE-SU-2020:2812-1)NessusSuSE Local Security Checks
high
143663SUSE SLES15 Security Update : nodejs12 (SUSE-SU-2020:2813-1)NessusSuSE Local Security Checks
high
143657SUSE SLES15 Security Update : nodejs10 (SUSE-SU-2020:2829-1)NessusSuSE Local Security Checks
high
143610SUSE SLES15 Security Update : nodejs8 (SUSE-SU-2020:2800-1)NessusSuSE Local Security Checks
high
142450RHEL 8 : nodejs:12 (RHSA-2020:4903)NessusRed Hat Local Security Checks
high
141637Oracle Linux 8 : nodejs:12 (ELSA-2020-4272)NessusOracle Linux Local Security Checks
high
141536RHEL 8 : nodejs:12 (RHSA-2020:4272)NessusRed Hat Local Security Checks
high
141411openSUSE Security Update : nodejs10 (openSUSE-2020-1660)NessusSuSE Local Security Checks
high
141390openSUSE Security Update : nodejs8 (openSUSE-2020-1644)NessusSuSE Local Security Checks
medium
141276openSUSE Security Update : nodejs12 (openSUSE-2020-1616)NessusSuSE Local Security Checks
high