CVE-2020-15095
Published: 7 July 2020
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.
Priority
Status
Package | Release | Status |
---|---|---|
npm Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
eoan |
Ignored
(end of life)
|
|
focal |
Needs triage
|
|
groovy |
Not vulnerable
(6.14.6+ds-1ubuntu1)
|
|
hirsute |
Not vulnerable
(6.14.6+ds-1ubuntu1)
|
|
impish |
Not vulnerable
(6.14.6+ds-1ubuntu1)
|
|
jammy |
Not vulnerable
(6.14.6+ds-1ubuntu1)
|
|
kinetic |
Not vulnerable
(6.14.6+ds-1ubuntu1)
|
|
lunar |
Not vulnerable
(6.14.6+ds-1ubuntu1)
|
|
mantic |
Not vulnerable
(6.14.6+ds-1ubuntu1)
|
|
trusty |
Needs triage
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 4.4 |
Attack vector | Local |
Attack complexity | High |
Privileges required | Low |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N |
References
- https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07
- https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc
- https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp
- https://www.cve.org/CVERecord?id=CVE-2020-15095
- NVD
- Launchpad
- Debian