CVE-2016-3956
Last modified
CVE-2016-3956 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.. EPSS estimates a 6.75% chance of exploitation in the next 30 days.
Description
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Ibm | Sdk | <= 1.1.0.20 | — |
| Ibm | Sdk | <= 1.2.0.10 | — |
| Ibm | Sdk | <= 4.4.1.0 | — |
| Nodejs | Node.Js | 0.10.0 | — |
| Nodejs | Node.Js | 0.10.1 | — |
| Nodejs | Node.Js | 0.10.2 | — |
| Nodejs | Node.Js | 0.10.3 | — |
| Nodejs | Node.Js | 0.10.4 | — |
| Nodejs | Node.Js | 0.10.5 | — |
| Nodejs | Node.Js | 0.10.6 | — |
| Nodejs | Node.Js | 0.10.7 | — |
| Nodejs | Node.Js | 0.10.8 | — |
| Nodejs | Node.Js | 0.10.9 | — |
| Nodejs | Node.Js | 0.10.10 | — |
| Nodejs | Node.Js | 0.10.11 | — |
| Nodejs | Node.Js | 0.10.12 | — |
| Nodejs | Node.Js | 0.10.13 | — |
| Nodejs | Node.Js | 0.10.14 | — |
| Nodejs | Node.Js | 0.10.15 | — |
| Nodejs | Node.Js | 0.10.16 | — |
| Nodejs | Node.Js | 0.10.16-isaacs-manual | — |
| Nodejs | Node.Js | 0.10.17 | — |
| Nodejs | Node.Js | 0.10.18 | — |
| Nodejs | Node.Js | 0.10.19 | — |
| Nodejs | Node.Js | 0.10.20 | — |
| Nodejs | Node.Js | 0.10.21 | — |
| Nodejs | Node.Js | 0.10.22 | — |
| Nodejs | Node.Js | 0.10.23 | — |
| Nodejs | Node.Js | 0.10.24 | — |
| Nodejs | Node.Js | 0.10.25 | — |
| Nodejs | Node.Js | 0.10.26 | — |
| Nodejs | Node.Js | 0.10.27 | — |
| Nodejs | Node.Js | 0.10.28 | — |
| Nodejs | Node.Js | 0.10.29 | — |
| Nodejs | Node.Js | 0.10.30 | — |
| Nodejs | Node.Js | 0.10.31 | — |
| Nodejs | Node.Js | 0.10.32 | — |
| Nodejs | Node.Js | 0.10.33 | — |
| Nodejs | Node.Js | 0.10.34 | — |
| Nodejs | Node.Js | 0.10.35 | — |
| Nodejs | Node.Js | 0.10.36 | — |
| Nodejs | Node.Js | 0.10.37 | — |
| Nodejs | Node.Js | 0.10.38 | — |
| Nodejs | Node.Js | 0.10.39 | — |
| Nodejs | Node.Js | 0.10.40 | — |
| Nodejs | Node.Js | 0.10.41 | — |
| Nodejs | Node.Js | 0.12.0 | — |
| Nodejs | Node.Js | 0.12.1 | — |
| Nodejs | Node.Js | 0.12.2 | — |
| Nodejs | Node.Js | 0.12.3 | — |
Showing 50 of 89 affected configurations. See NVD for the full list.
References
- http://www-01.ibm.com/support/docview.wss?uid=swg21980827Vendor Advisory
- https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29Patch, Third Party Advisory
- https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401Patch, Third Party Advisory
- https://github.com/npm/npm/issues/8380Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21980827Vendor Advisory
- https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29Patch, Third Party Advisory
- https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401Patch, Third Party Advisory
- https://github.com/npm/npm/issues/8380Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2016-3956?
How severe is CVE-2016-3956?
How do I fix CVE-2016-3956?
Are you affected by CVE-2016-3956?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST