CVE-2020-15095 - OpenCVE

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Npmjs	Npm
Opensuse	Leap
Fedoraproject	Fedora

Configuration 1 [-]

cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:opensuse:leap:15.1:::::::*
	cpe:2.3:o:opensuse:leap:15.2:::::::*

Configuration 3 [-]

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html	Mailing List Third Party Advisory
https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07	Release Notes Third Party Advisory
https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc	Patch Third Party Advisory
https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
https://security.gentoo.org/glsa/202101-07	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-07-07T18:55:12

Updated: 2021-01-11T10:06:12

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15095

JSON object: View

NVD Information

Status : Modified

Published: 2020-07-07T19:15:10.833

Modified: 2023-11-07T03:17:24.663

Link: CVE-2020-15095

JSON object: View

Redhat Information

No data.

CWE

CWE-532

{"containers": {"cna": {"affected": [{"product": "cli", "vendor": "npm", "versions": [{"status": "affected", "version": "< 6.14.6"}]}], "descriptions": [{"lang": "en", "value": "Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like \"<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>\". The password value is not redacted and is printed to stdout and also to any generated log files."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-11T10:06:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07"}, {"name": "openSUSE-SU-2020:1616", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"}, {"name": "openSUSE-SU-2020:1644", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html"}, {"name": "openSUSE-SU-2020:1660", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html"}, {"name": "FEDORA-2020-43d5a372fc", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"}, {"name": "GLSA-202101-07", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202101-07"}], "source": {"advisory": "GHSA-93f3-23rq-pjfp", "discovery": "UNKNOWN"}, "title": "Sensitive information exposure through logs in npm cli", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15095", "STATE": "PUBLIC", "TITLE": "Sensitive information exposure through logs in npm cli"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "cli", "version": {"version_data": [{"version_value": "< 6.14.6"}]}}]}, "vendor_name": "npm"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like \"<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>\". The password value is not redacted and is printed to stdout and also to any generated log files."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-532: Insertion of Sensitive Information into Log File"}]}]}, "references": {"reference_data": [{"name": "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp", "refsource": "CONFIRM", "url": "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp"}, {"name": "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc", "refsource": "MISC", "url": "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc"}, {"name": "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07", "refsource": "MISC", "url": "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07"}, {"name": "openSUSE-SU-2020:1616", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"}, {"name": "openSUSE-SU-2020:1644", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html"}, {"name": "openSUSE-SU-2020:1660", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html"}, {"name": "FEDORA-2020-43d5a372fc", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"}, {"name": "GLSA-202101-07", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202101-07"}]}, "source": {"advisory": "GHSA-93f3-23rq-pjfp", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15095", "datePublished": "2020-07-07T18:55:12", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2021-01-11T10:06:12", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2C68D50-600A-4FAC-9C60-863A28AAC707", "versionEndExcluding": "6.14.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like \"<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>\". The password value is not redacted and is printed to stdout and also to any generated log files."}, {"lang": "es", "value": "Las versiones de la CLI npm anteriores a 6.14.6, son susceptibles a una vulnerabilidad de exposici\u00f3n de informaci\u00f3n por medio de archivos de registro. La CLI admite las URL como \"://[[:]@][:][:][/]\". El valor de la contrase\u00f1a no es redactada y se imprime en stdout y tambi\u00e9n en cualquier archivo de registro generado"}], "id": "CVE-2020-15095", "lastModified": "2023-11-07T03:17:24.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-07-07T19:15:10.833", "references": [{"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202101-07"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Secondary"}]}