CVE-2020-15095

Sensitive information exposure through logs in npm cli

Severity Score

4.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.

Las versiones de la CLI npm anteriores a 6.14.6, son susceptibles a una vulnerabilidad de exposición de información por medio de archivos de registro. La CLI admite las URL como "://[[:]@][:][:][/]". El valor de la contraseña no es redactada y se imprime en stdout y también en cualquier archivo de registro generado

*Credits: N/A

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-06-24 First Exploit
2020-06-25 CVE Reserved
2020-07-07 CVE Published
2023-03-08 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-532: Insertion of Sensitive Information into Log File

CAPEC

References (11)

URL	Tag	Source
https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07	Release Notes
https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp	Third Party Advisory

URL	Date	SRC
https://github.com/ossf-cve-benchmark/CVE-2020-15095	2020-06-24

URL	Date	SRC
https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc	2023-11-07

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6	2023-11-07
https://security.gentoo.org/glsa/202101-07	2023-11-07
https://access.redhat.com/security/cve/CVE-2020-15095	2021-02-16
https://bugzilla.redhat.com/show_bug.cgi?id=1856875	2021-02-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Npmjs Search vendor "Npmjs"		Npm Search vendor "Npmjs" for product "Npm"				< 6.14.6 Search vendor "Npmjs" for product "Npm" and version " < 6.14.6"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.2 Search vendor "Opensuse" for product "Leap" and version "15.2"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected