GHSA-m5h6-hr3q-22h5

Опубликовано: 31 июл. 2018

Источник: github

Github: Прошло ревью

Описание

npm Token Leak in npm

Affected versions of the npm package include the bearer token of the logged in user in every request made by the CLI, even if the request is not directed towards the user's active registry.

An attacker could create an HTTP server to collect tokens, and by various means including but not limited to install scripts, cause the npm CLI to make a request to that server, which would compromise the user's token.

This compromised token could be used to do anything that the user could do, including publishing new packages.

Recommendation

Update npm with npm install npm@latest -g
Revoke your Tokens
Enable Two-Factor Authentication

Ссылки

Пакеты

Наименование

npm

Затронутые версииВерсия исправления

<= 2.15.0

2.15.1

Наименование

npm

Затронутые версииВерсия исправления

>= 3.0.0, <= 3.8.2

3.8.3

EPSS

Процентиль: 84%

0.02387

Низкий

CVE ID

CVE-2016-3956

Дефекты

CWE-200

Связанные уязвимости

CVE-2016-3956

CVSS3: 7.5

ubuntu

почти 9 лет назад

The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.