CVE-2016-3956

NameCVE-2016-3956
DescriptionThe CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs850322

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
npm (PTS)sid, jessie1.4.21+ds-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
npmsource(unstable)(unfixed)medium850322

Notes

[jessie] - npm <no-dsa> (Minor issue)
https://github.com/npm/npm/issues/8380
https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401 (2.15.1)
https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29 (3.8.3)

Search for package or bug name: Reporting problems