Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2016-3956

Good to know:

icon

Date: July 2, 2016

The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.

Language: C#

Severity Score

Related Resources (12)

https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29
https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016
https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/
http://www-01.ibm.com/support/docview.wss?uid=swg21980827
https://github.com/npm/npm/issues/8380
https://www.npmjs.com/advisories/98
https://nvd.nist.gov/vuln/detail/CVE-2016-3956
https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401
https://github.com/advisories/GHSA-m5h6-hr3q-22h5
http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability
https://security-tracker.debian.org/tracker/CVE-2016-3956
https://www.mend.io/vulnerability-database/CVE-2016-3956

Severity Score

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Top Fix

icon

Upgrade Version

Upgrade to version npm - 3.8.3;npm - 2.15.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us