Insertion of Sensitive Information into Log File in npm-registry-fetch

Do your applications use this vulnerable package? Test your applications

Overview

npm-registry-fetch is a Fetch-based http client for use with npm registry APIs

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File through log files. The package supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.

Remediation

Upgrade npm-registry-fetch to version 4.0.5, 8.1.1 or higher.

References

GitHub Commit

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

Low
Integrity

None
Availability

None

Credit: Unknown
CWE: CWE-532
Snyk ID: SNYK-JS-NPMREGISTRYFETCH-575432
Disclosed: 07 Jul, 2020
Published: 08 Jul, 2020

Insertion of Sensitive Information into Log File
Affecting npm-registry-fetch package, versions <4.0.5 || >=5.0.0 <8.1.1

Overview

Remediation

References

CVSS Score

Insertion of Sensitive Information into Log File Affecting npm-registry-fetch package, versions <4.0.5 || >=5.0.0 <8.1.1

Overview

Remediation

References

Insertion of Sensitive Information into Log File
Affecting npm-registry-fetch package, versions <4.0.5 || >=5.0.0 <8.1.1