CVE-2020-15095Log File Information Exposure in CLI

CWE-532Log File Information Exposure10 documents7 sources
Severity
4.4MEDIUMNVD
EPSS
0.1%
top 72.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
NPM CLINpmjs NPMFedoraproject Fedora+1 more
Timeline
PublishedJul 7
Latest updateJul 14

Description

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:NExploitability: 0.8 | Impact: 3.6

Affected Packages5 packages

CVEListV5npm/cli< 6.14.6
NVDnpmjs/npm< 6.14.6
npmnpmjs/npm< 6.14.6
Debiannpmjs/npm< 6.14.6+ds-1+3
NVDopensuse/leap15.1, 15.2+1

Also affects: Fedora 33

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
CVEList
Sensitive information exposure through logs in npm cli2020-07-07
OSV
npm CLI exposing sensitive information through logs2020-07-07
OSV
CVE-2020-15095: Versions of the npm CLI prior to 62020-07-07
GHSA
npm CLI exposing sensitive information through logs2020-07-07

📋Vendor Advisories

2
Red Hat
npm: sensitive information exposure through logs2020-07-07
Debian
CVE-2020-15095: npm - Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposur...2020

💬Community

3
Bugzilla
CVE-2020-15095 nodejs: npm: Sensitive information exposure through logs [fedora-all]2020-07-14
Bugzilla
CVE-2020-15095 npm: sensitive information exposure through logs2020-07-14
Bugzilla
CVE-2020-15095 nodejs: npm: sensitive information exposure through logs [epel-all]2020-07-14
CVE-2020-15095 — Log File Information Exposure in NPM | cvebase