CVE-2016-3956

CWE-200 — Information Exposure CWE-20113 documents8 sources

Severity

7.5HIGH

EPSS

3.2%

top 12.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Npmjs NPM IBM SDK Nodejs Node.js

Timeline

PublishedJul 2

Latest updateMar 15

Description

The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDnodejs/node.js84 versions+83

▶npmnpm3.0.0 — 3.8.3+1

▶NVDnpmjs/npm3.0.0 — 3.8.3+1

▶Debiannpm< 5.8.0+ds-2+3

▶NVDibm/sdk1.1.0.20+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

npm Token Leak in npm↗2018-07-31

▶

GHSA

npm Token Leak in npm↗2018-07-31

▶

OSV

CVE-2016-3956: The CLI in npm before 2↗2016-07-02

▶

CVEList

CVE-2016-3956: The CLI in npm before 2↗2016-07-02

▶

📋Vendor Advisories

Ubuntu

npm vulnerability↗2021-03-15

▶

Red Hat

npm: bearer token leak to non-registry hosts↗2016-03-31

▶

Debian

CVE-2016-3956: npm - The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 befor...↗2016

▶

💬Community

Bugzilla

CVE-2016-8568 CVE-2016-8569 libgit2: Invalid memory accesses parsing object files↗2016-10-10

▶

Bugzilla

CVE-2016-3956 npm: bearer token leak [epel-7]↗2016-04-19

▶

Bugzilla

CVE-2016-3956 npm: bearer token leak to non-registry hosts↗2016-04-19

▶

Bugzilla

CVE-2016-3956 npm: bearer token leak [epel-6]↗2016-04-19

▶

Bugzilla

CVE-2016-3956 npm: bearer token leak [fedora-all]↗2016-04-19

▶