CVE-2020-15095
Information Exposure vulnerability in npm
What is CVE-2020-15095 About?
This Information Exposure vulnerability in the npm CLI (prior to 6.14.6) leads to the accidental logging of sensitive password values from URLs. This can expose user credentials in log files or standard output, making exploitation straightforward due to the direct logging of unredacted data.
Affected Software
Technical Details
The vulnerability exists in versions of the npm CLI prior to 6.14.6. When a user configures or uses URLs in the format `<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>`, the npm CLI fails to redact the `<password>` value. This unredacted password is then printed to `stdout` (standard output) and/or written into any generated log files. This occurs because the CLI's internal processing of such URLs does not include a step to mask or remove the sensitive credential before outputting transaction details or debugging information, leading to the inadvertent exposure of authentication credentials.
What is the Impact of CVE-2020-15095?
Successful exploitation may allow attackers to obtain sensitive credentials (passwords), leading to unauthorized access to associated services or accounts.
What is the Exploitability of CVE-2020-15095?
Exploitation of this vulnerability is of low complexity. It primarily relies on an attacker having access to the system where `npm CLI` commands were executed or access to log files generated by `npm CLI`. No authentication is required for the attacker to read the logs if they have system access, but the original action (running npm commands with password-containing URLs) often implies authenticated user activity. This is typically a local attack, as it involves examining local logs or screen output, though logs could be exfiltrated later. No special privileges are usually required beyond read access to the relevant log files or the ability to view `stdout`. The main risk factor is using password-containing URLs with the vulnerable npm CLI versions in environments where log files are not adequately secured or where screen output can be observed.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-15095?
Available Upgrade Options
- npm
- <6.14.6 → Upgrade to 6.14.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html
- https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6
- https://osv.dev/vulnerability/GHSA-93f3-23rq-pjfp
- https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07
- https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html
- https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc
What are Similar Vulnerabilities to CVE-2020-15095?
Similar Vulnerabilities: CVE-2022-24765 , CVE-2021-42034 , CVE-2020-28500 , CVE-2019-10757 , CVE-2018-1000632
