Описание
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.
Меры по смягчению последствий
Do not provide a password to npm via the cli to avoid it from being entered into the logs and stdout, or use ssh instead.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Application Runtimes | nodejs8 | Out of support scope | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2020:4272 | 19.10.2020 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2021:0548 | 16.02.2021 |
| Red Hat Enterprise Linux 8.1 Extended Update Support | nodejs | Fixed | RHSA-2020:4903 | 04.11.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs12-nodejs | Fixed | RHSA-2020:5086 | 12.11.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs10-nodejs | Fixed | RHSA-2021:0521 | 15.02.2021 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | rh-nodejs12-nodejs | Fixed | RHSA-2020:5086 | 12.11.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | rh-nodejs10-nodejs | Fixed | RHSA-2021:0521 | 15.02.2021 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-nodejs12-nodejs | Fixed | RHSA-2020:5086 | 12.11.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-nodejs10-nodejs | Fixed | RHSA-2021:0521 | 15.02.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.4 Medium
CVSS3
Связанные уязвимости
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.
Versions of the npm CLI prior to 6.14.6 are vulnerable to an informati ...
EPSS
4.4 Medium
CVSS3