CVE-2020-15095 — MEDIUM (4.4)

Vulnerability Description

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.

CVSS Score

4.4

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Npmjs	Npm	< 6.14.6
Opensuse	Leap	15.1
Fedoraproject	Fedora	33

Related Weaknesses (CWE)

CWE-532

References

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.htmlMailing ListThird Party Advisory
https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELRelease NotesThird Party Advisory
https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbcPatchThird Party Advisory
https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfpThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202101-07Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.htmlMailing ListThird Party Advisory
https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELRelease NotesThird Party Advisory
https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbcPatchThird Party Advisory
https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfpThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2020-15095?

CVE-2020-15095 is a vulnerability with a CVSS score of 4.4 (MEDIUM). Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:]...

How severe is CVE-2020-15095?

CVE-2020-15095 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-15095?

Check the references section above for vendor advisories and patch information. Affected products include: Npmjs Npm, Opensuse Leap, Fedoraproject Fedora.