Information Exposure Through Log Files Affecting npm package, versions <6.14.6+ds-1


low

Snyk CVSS

    Attack Complexity High
    User Interaction Required
    Confidentiality High

    Threat Intelligence

    EPSS 0.05% (15th percentile)
Expand this section
NVD
4.4 medium
Expand this section
SUSE
5.5 medium
Expand this section
Red Hat
4.4 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DEBIANUNSTABLE-NPM-575555
  • published 9 Jul 2020
  • disclosed 7 Jul 2020

How to fix?

Upgrade Debian:unstable npm to version 6.14.6+ds-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream npm package and not the npm package as distributed by Debian. See How to fix? for Debian:unstable relevant fixed versions and status.

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.