Main Vulnerability Database Vulnerabilities #VU21761

Information disclosure in CLI - CVE-2016-3956

Published: October 14, 2019

Vulnerability identifier: #VU21761

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-3956

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: npm Inc.

Affected software:
CLI

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected software includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers. A remote attacker can gain unauthorized access to sensitive information on the system.

How to mitigate CVE-2016-3956

Install updates from vendor's website.

Sources

https://github.com/npm/npm/issues/8380
https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401
https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29
http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability

Information disclosure in CLI - CVE-2016-3956

Detailed vulnerability description

How to mitigate CVE-2016-3956

Sources

Please verify you're human