Published: 02/07/2016 Updated: 15/06/2021

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

The CLI in npm prior to 2.15.1 and 3.x prior to 3.8.3, as used in Node.js 0.10 prior to 0.10.44, 0.12 prior to 0.12.13, 4 prior to 4.4.2, and 5 prior to 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.

Vulnerable Product	Search on Vulmon	Subscribe to Product
ibm sdk
nodejs node.js 5.6.0
nodejs node.js 4.4.0
nodejs node.js 4.3.2
nodejs node.js 4.3.1
nodejs node.js 5.2.0
nodejs node.js 5.1.0
nodejs node.js 4.2.1
nodejs node.js 4.1.2
nodejs node.js 0.12.8
nodejs node.js 0.12.6
nodejs node.js 0.10.9
nodejs node.js 0.10.7
nodejs node.js 0.10.38
nodejs node.js 0.10.36
nodejs node.js 0.10.31
nodejs node.js 0.10.3
nodejs node.js 0.10.23
nodejs node.js 0.10.21
nodejs node.js 0.10.16
nodejs node.js 0.10.14
nodejs node.js 0.10.1
nodejs node.js 5.0.0
nodejs node.js 4.2.6
nodejs node.js 4.2.5
nodejs node.js 4.2.4
nodejs node.js 4.2.3
nodejs node.js 0.12.4
nodejs node.js 0.12.3
nodejs node.js 0.12.2
nodejs node.js 0.12.1
nodejs node.js 0.10.35
nodejs node.js 0.10.34
nodejs node.js 0.10.33
nodejs node.js 0.10.32
nodejs node.js 0.10.2
nodejs node.js 0.10.19
nodejs node.js 0.10.18
nodejs node.js 0.10.17
nodejs node.js 5.9.1
nodejs node.js 5.9.0
nodejs node.js 5.8.1
nodejs node.js 5.8.0
nodejs node.js 5.7.1
nodejs node.js 4.3.0
nodejs node.js 5.5.0
nodejs node.js 5.4.1
nodejs node.js 5.4.0
nodejs node.js 4.1.1
nodejs node.js 4.1.0
nodejs node.js 4.0.0
nodejs node.js 0.12.9
nodejs node.js 0.10.5
nodejs node.js 0.10.41
nodejs node.js 0.10.40
nodejs node.js 0.10.4
nodejs node.js 0.10.28
nodejs node.js 0.10.27
nodejs node.js 0.10.26
nodejs node.js 0.10.25
nodejs node.js 0.10.13
nodejs node.js 0.10.12
nodejs node.js 0.10.11
nodejs node.js 0.10.10
nodejs node.js 5.7.0
nodejs node.js 4.4.1
nodejs node.js 5.3.0
nodejs node.js 5.1.1
nodejs node.js 4.2.2
nodejs node.js 4.2.0
nodejs node.js 0.12.7
nodejs node.js 0.12.5
nodejs node.js 0.12.0
nodejs node.js 0.10.8
nodejs node.js 0.10.6
nodejs node.js 0.10.39
nodejs node.js 0.10.37
nodejs node.js 0.10.30
nodejs node.js 0.10.29
nodejs node.js 0.10.24
nodejs node.js 0.10.22
nodejs node.js 0.10.20
nodejs node.js 0.10.16-isaacs-manual
nodejs node.js 0.10.15
nodejs node.js 0.10.0
npmjs npm

Debian Bug report logs - #850322 npm: CVE-2016-3956 Package: src:npm; Maintainer for src:npm is Debian Javascript Maintainers <pkg-javascript-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 5 Jan 2017 21:21:01 UTC Severity: important Tags: fixed-upstream, security, up ...

The CLI in npm before 2151 and 3x before 383, as used in Nodejs 010 before 01044, 012 before 01213, 4 before 442, and 5 before 5100, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers ...

CWE-200 http://www-01.ibm.com/support/docview.wss?uid=swg21980827 https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401 http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29 https://github.com/npm/npm/issues/8380 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850322 https://nvd.nist.gov

CVE-2016-3956

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect