CVE-2020-15095
Published: 7 July 2020
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
npm Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| eoan |
Ignored
(end of life)
|
|
| focal |
Needs triage
|
|
| groovy |
Not vulnerable
(6.14.6+ds-1ubuntu1)
|
|
| hirsute |
Not vulnerable
(6.14.6+ds-1ubuntu1)
|
|
| impish |
Not vulnerable
(6.14.6+ds-1ubuntu1)
|
|
| jammy |
Not vulnerable
(6.14.6+ds-1ubuntu1)
|
|
| kinetic |
Not vulnerable
(6.14.6+ds-1ubuntu1)
|
|
| lunar |
Not vulnerable
(6.14.6+ds-1ubuntu1)
|
|
| mantic |
Not vulnerable
(6.14.6+ds-1ubuntu1)
|
|
| trusty |
Needs triage
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 4.4 |
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | Low |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N |
References
- https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07
- https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc
- https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp
- https://www.cve.org/CVERecord?id=CVE-2020-15095
- NVD
- Launchpad
- Debian