Insertion of Sensitive Information into Log File

Affecting npm-registry-fetch package, versions <4.0.5 || >=5.0.0 <8.1.1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

npm-registry-fetch is a Fetch-based http client for use with npm registry APIs

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File through log files. The package supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.

Remediation

Upgrade npm-registry-fetch to version 4.0.5, 8.1.1 or higher.

References

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Credit
Unknown
CWE
CWE-532
Snyk ID
SNYK-JS-NPMREGISTRYFETCH-575432
Disclosed
07 Jul, 2020
Published
08 Jul, 2020