Back to search
CVE-2016-3956
Published: Jul 2, 2016
Modified: Aug 6, 2024
PUBLISHED
Description
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
https://github.com/npm/npm/issues/8380
x_refsource_CONFIRM
https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29
x_refsource_CONFIRM
http://www-01.ibm.com/support/docview.wss?uid=swg21980827
x_refsource_CONFIRM
https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401
x_refsource_CONFIRM
http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability
x_refsource_CONFIRM
https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now