Information Exposure Affecting npm package, versions *


medium

Snyk CVSS

    Attack Complexity Low
    Confidentiality High

    Threat Intelligence

    EPSS 0.24% (62nd percentile)
Expand this section
NVD
7.5 high
Expand this section
Red Hat
4.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-UBUNTU1804-NPM-271440
  • published 2 Jul 2016
  • disclosed 2 Jul 2016

How to fix?

There is no fixed version for Ubuntu:18.04 npm.

NVD Description

Note: Versions mentioned in the description apply only to the upstream npm package and not the npm package as distributed by Ubuntu. See How to fix? for Ubuntu:18.04 relevant fixed versions and status.

The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.