CVE-2020-15095

Summary

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.

Affected Software

VendorProductVersion RangeStatus
npmcli< 6.14.6affected

Weaknesses

  • CWE-532: CWE-532: Insertion of Sensitive Information into Log File

ADP Enrichment

CVE Program Container

Additional References

References