Insertion of Sensitive Information into Log File
Affecting npm-registry-fetch package, versions <4.0.5 || >=5.0.0 <8.1.1
Report new vulnerabilities
Do your applications use this vulnerable package?
Test your applications
Overview
npm-registry-fetch is a Fetch-based http client for use with npm registry APIs
Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File through log files. The package supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>
. The password value is not redacted and is printed to stdout
and also to any generated log files.
Remediation
Upgrade npm-registry-fetch
to version 4.0.5, 8.1.1 or higher.
References
CVSS Score
5.3
medium severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityNone
-
AvailabilityNone
- Credit
- Unknown
- CWE
- CWE-532
- Snyk ID
- SNYK-JS-NPMREGISTRYFETCH-575432
- Disclosed
- 07 Jul, 2020
- Published
- 08 Jul, 2020