CVE-2016-3956 - Vulnerability Details

The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Sdk
Nodejs	Node.js
Npmjs	Npm

Configuration 1 [-]

OR	cpe:2.3:a:ibm:sdk::::::nodejs::*
	cpe:2.3:a:ibm:sdk::::::nodejs::*
	cpe:2.3:a:ibm:sdk::::::nodejs::*

Configuration 2 [-]

OR	cpe:2.3:a:nodejs:node.js:0.10.0:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.1:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.2:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.3:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.4:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.5:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.6:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.7:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.8:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.9:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.10:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.11:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.12:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.13:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.14:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.15:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.16:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.16-isaacs-manual:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.17:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.18:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.19:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.20:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.21:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.22:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.23:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.24:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.25:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.26:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.27:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.28:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.29:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.30:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.31:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.32:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.33:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.34:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.35:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.36:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.37:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.38:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.39:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.40:::::::*
	cpe:2.3:a:nodejs:node.js:0.10.41:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.0:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.1:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.2:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.3:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.4:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.5:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.6:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.7:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.8:::::::*
	cpe:2.3:a:nodejs:node.js:0.12.9:::::::*
	cpe:2.3:a:nodejs:node.js:4.0.0:::::::*
	cpe:2.3:a:nodejs:node.js:4.1.0:::::::*
	cpe:2.3:a:nodejs:node.js:4.1.1:::::::*
	cpe:2.3:a:nodejs:node.js:4.1.2:::::::*
	cpe:2.3:a:nodejs:node.js:4.2.0:::::::*
	cpe:2.3:a:nodejs:node.js:4.2.1:::::::*
	cpe:2.3:a:nodejs:node.js:4.2.2:::::::*
	cpe:2.3:a:nodejs:node.js:4.2.3:::::::*
	cpe:2.3:a:nodejs:node.js:4.2.4:::::::*
	cpe:2.3:a:nodejs:node.js:4.2.5:::::::*
	cpe:2.3:a:nodejs:node.js:4.2.6:::::::*
cpe:2.3:a:nodejs:node.js:4.3.0:::::::*
cpe:2.3:a:nodejs:node.js:4.3.1:::::::*
cpe:2.3:a:nodejs:node.js:4.3.1:rc.1::::::
cpe:2.3:a:nodejs:node.js:4.3.1:rc.2::::::
cpe:2.3:a:nodejs:node.js:4.3.2:::::::*
cpe:2.3:a:nodejs:node.js:4.4.0:::::::*
cpe:2.3:a:nodejs:node.js:4.4.0:rc.1::::::
cpe:2.3:a:nodejs:node.js:4.4.0:rc.2::::::
cpe:2.3:a:nodejs:node.js:4.4.0:rc.3::::::
cpe:2.3:a:nodejs:node.js:4.4.0:rc.4::::::
cpe:2.3:a:nodejs:node.js:4.4.1:::::::*
cpe:2.3:a:nodejs:node.js:5.0.0:::::::*
cpe:2.3:a:nodejs:node.js:5.1.0:::::::*
cpe:2.3:a:nodejs:node.js:5.1.1:::::::*
cpe:2.3:a:nodejs:node.js:5.2.0:::::::*
cpe:2.3:a:nodejs:node.js:5.3.0:::::::*
cpe:2.3:a:nodejs:node.js:5.4.0:::::::*
cpe:2.3:a:nodejs:node.js:5.4.1:::::::*
cpe:2.3:a:nodejs:node.js:5.5.0:::::::*
cpe:2.3:a:nodejs:node.js:5.6.0:::::::*
cpe:2.3:a:nodejs:node.js:5.7.0:::::::*
cpe:2.3:a:nodejs:node.js:5.7.1:::::::*
cpe:2.3:a:nodejs:node.js:5.8.0:::::::*
cpe:2.3:a:nodejs:node.js:5.8.1:rc.1::::::
cpe:2.3:a:nodejs:node.js:5.9.0:::::::*
cpe:2.3:a:nodejs:node.js:5.9.1:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:npmjs:npm::::::::
	cpe:2.3:a:npmjs:npm::::::::

No data.

References

Link	Providers
http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability
http://www-01.ibm.com/support/docview.wss?uid=swg21980827
https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29
https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401
https://github.com/npm/npm/issues/8380
https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/
https://nodesecurity.io/advisories/98
https://nvd.nist.gov/vuln/detail/CVE-2016-3956
https://www.cve.org/CVERecord?id=CVE-2016-3956

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2016-07-02T14:00:00

Updated: 2024-08-06T00:10:31.975Z

Reserved: 2016-04-05T00:00:00

Link: CVE-2016-3956

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2016-07-02T14:59:19.417

Modified: 2025-04-12T10:46:40.837

Link: CVE-2016-3956

Redhat

Severity : Moderate

Publid Date: 2016-03-31T00:00:00Z

Links: CVE-2016-3956 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-03-31T00:00:00", "descriptions": [{"lang": "en", "value": "The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-07-02T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/npm/npm/issues/8380"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21980827"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-3956", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/npm/npm/issues/8380", "refsource": "CONFIRM", "url": "https://github.com/npm/npm/issues/8380"}, {"name": "https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29", "refsource": "CONFIRM", "url": "https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29"}, {"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21980827", "refsource": "CONFIRM", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21980827"}, {"name": "https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401", "refsource": "CONFIRM", "url": "https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401"}, {"name": "http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability", "refsource": "CONFIRM", "url": "http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability"}, {"name": "https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/", "refsource": "CONFIRM", "url": "https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T00:10:31.975Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/npm/npm/issues/8380"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21980827"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-3956", "datePublished": "2016-07-02T14:00:00", "dateReserved": "2016-04-05T00:00:00", "dateUpdated": "2024-08-06T00:10:31.975Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:sdk:*:*:*:*:*:nodejs:*:*", "matchCriteriaId": "F581B2CF-A05C-4ABB-9042-A34085A546D4", "versionEndIncluding": "1.1.0.20", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:sdk:*:*:*:*:*:nodejs:*:*", "matchCriteriaId": "748ABD64-797B-422E-A456-0A97AD24F29B", "versionEndIncluding": "1.2.0.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:sdk:*:*:*:*:*:nodejs:*:*", "matchCriteriaId": "3B824DD1-B652-47FF-B934-3C7A59DDF5DF", "versionEndIncluding": "4.4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:0.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "BF2E637C-EA49-4DB6-B4D5-B4684A9549C6", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.1:*:*:*:*:*:*:*", "matchCriteriaId": "C1966CED-11A1-4328-A57E-308BE5E4CCD1", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.2:*:*:*:*:*:*:*", "matchCriteriaId": "A9F46AD2-BB74-4391-8A4F-7BE49EF41F0D", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.3:*:*:*:*:*:*:*", "matchCriteriaId": "EC36E36A-9592-49DA-AACE-B3638FC55F4D", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.4:*:*:*:*:*:*:*", "matchCriteriaId": "B98E9F42-08BC-49B5-90C8-AC3EA7960C45", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.5:*:*:*:*:*:*:*", "matchCriteriaId": "ABA37EF5-DF97-467B-9A56-1611345387FB", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.6:*:*:*:*:*:*:*", "matchCriteriaId": "5F0BD0C1-2294-4AFB-B4AE-C81576FB9AFF", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.7:*:*:*:*:*:*:*", "matchCriteriaId": "4057D560-81EE-49ED-888C-89560DBE3348", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.8:*:*:*:*:*:*:*", "matchCriteriaId": "F87810E1-BDAD-455D-82E3-334CC102AB2E", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.9:*:*:*:*:*:*:*", "matchCriteriaId": "8BC00B3A-3C9D-4487-9686-775CBAA1CC42", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.10:*:*:*:*:*:*:*", "matchCriteriaId": "7C0A4F5B-4546-414C-A209-07C27ED1C944", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.11:*:*:*:*:*:*:*", "matchCriteriaId": "2515087F-B272-4B76-99F4-ACA0C2460046", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.12:*:*:*:*:*:*:*", "matchCriteriaId": "0C7016DE-A3A5-450B-9FBD-2C98A07FF3C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.13:*:*:*:*:*:*:*", "matchCriteriaId": "8C1848A7-E68E-4CB4-B73C-C5200ABAC9DD", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.14:*:*:*:*:*:*:*", "matchCriteriaId": "59F861AB-574A-41BF-8E2D-6440B35C2AA0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.15:*:*:*:*:*:*:*", "matchCriteriaId": "41C8CEF8-49E1-4CB0-837B-E85C76BF9DF5", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.16:*:*:*:*:*:*:*", "matchCriteriaId": "8C7101A5-FDC9-4897-B8E8-6A07790D42A2", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.16-isaacs-manual:*:*:*:*:*:*:*", "matchCriteriaId": "F7776F01-29AC-4161-9C91-C7392C6A356E", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.17:*:*:*:*:*:*:*", "matchCriteriaId": "3CADD766-8328-4669-BE66-A4757D5FB471", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.18:*:*:*:*:*:*:*", "matchCriteriaId": "AD9792E9-2593-46B4-9633-E2F2DB11106B", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.19:*:*:*:*:*:*:*", "matchCriteriaId": "FF209248-8921-419A-86EB-30E7095E4514", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.20:*:*:*:*:*:*:*", "matchCriteriaId": "2C0D6C34-E046-40BD-907D-0E2510C09A14", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.21:*:*:*:*:*:*:*", "matchCriteriaId": "E5CBB83F-19AD-44BD-B7D4-19C1A8F80011", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.22:*:*:*:*:*:*:*", "matchCriteriaId": "D6E2EA97-156D-4870-8967-78E4ED6EF64F", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.23:*:*:*:*:*:*:*", "matchCriteriaId": "54961BCA-8730-4B40-8385-41F6D65797F4", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.24:*:*:*:*:*:*:*", "matchCriteriaId": "B22FA598-E613-4652-92CD-237F749D13DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.25:*:*:*:*:*:*:*", "matchCriteriaId": "B4F321AF-FCC7-456D-AFE2-2CEF9CBAFCC1", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.26:*:*:*:*:*:*:*", "matchCriteriaId": "18F2EC65-2A47-4C45-8D58-63D18443B767", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.27:*:*:*:*:*:*:*", "matchCriteriaId": "D0517A28-70F9-4947-BEF0-9CC645388BFA", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.28:*:*:*:*:*:*:*", "matchCriteriaId": "C5DD5BBD-922E-4026-9DEC-98CF9411CE95", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.29:*:*:*:*:*:*:*", "matchCriteriaId": "63E078BA-8BDC-47EB-84B9-09B785FD1213", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.30:*:*:*:*:*:*:*", "matchCriteriaId": "4B9971A7-1C18-43C0-97BC-27096609EFC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.31:*:*:*:*:*:*:*", "matchCriteriaId": "0EA5107B-4347-4D43-ADA6-141527A40333", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.32:*:*:*:*:*:*:*", "matchCriteriaId": "0C679CFA-50D4-430B-B372-113CE236EACC", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.33:*:*:*:*:*:*:*", "matchCriteriaId": "F7AA6FEE-C630-4545-BCCF-3C211461C6C9", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.34:*:*:*:*:*:*:*", "matchCriteriaId": "682E8A32-1F1E-4427-BAD8-58596F85F170", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.35:*:*:*:*:*:*:*", "matchCriteriaId": "C9827EF0-E340-4A75-9735-F20CDF09CA42", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.36:*:*:*:*:*:*:*", "matchCriteriaId": "E6C02C09-D738-45B1-BF6F-A4499E5F8D60", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.37:*:*:*:*:*:*:*", "matchCriteriaId": "EE85CACC-842F-46C7-966D-48E866055A5F", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.38:*:*:*:*:*:*:*", "matchCriteriaId": "771BCA5F-B762-4569-AB46-08A13A4EFD5C", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.39:*:*:*:*:*:*:*", "matchCriteriaId": "21E05024-3647-456D-A731-D19411FED2DC", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.40:*:*:*:*:*:*:*", "matchCriteriaId": "89929EB1-D723-496B-A7C6-4B4CD9C176B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.10.41:*:*:*:*:*:*:*", "matchCriteriaId": "D3EA4652-EF0E-414C-AEB8-AEFE788B66A7", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "BC9002F9-87C4-4C7F-9BD9-430EB15CD4BE", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.12.1:*:*:*:*:*:*:*", "matchCriteriaId": "21EF734D-9E6B-4E01-9AFE-C0B847D583A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.12.2:*:*:*:*:*:*:*", "matchCriteriaId": "12606C39-6F39-4DDF-9B36-A160875B265F", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.12.3:*:*:*:*:*:*:*", "matchCriteriaId": "EC4D8789-33C3-498A-857D-CC6576732C31", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.12.4:*:*:*:*:*:*:*", "matchCriteriaId": "466E8851-6BE7-4716-AB16-3E985411C35C", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.12.5:*:*:*:*:*:*:*", "matchCriteriaId": "E5C4DB21-F35A-4567-8B04-85DB3089CDF2", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.12.6:*:*:*:*:*:*:*", "matchCriteriaId": "BA7E7436-117A-4F79-BA7A-2A0059BB9694", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.12.7:*:*:*:*:*:*:*", "matchCriteriaId": "037511C2-3FA9-4A4C-996B-A1462C221DA8", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.12.8:*:*:*:*:*:*:*", "matchCriteriaId": "65EEB1B9-2E75-46F4-B70C-94991D38B427", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:0.12.9:*:*:*:*:*:*:*", "matchCriteriaId": "0E5C5750-10F3-45D7-AC9B-7EA06F4B3887", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "0390D600-532D-4675-95BB-10EC4E06F3E0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "35AAF7CD-9AE6-4A4B-858E-4B17031BD058", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "5DCB6010-AC31-4B61-9DA6-E119ADC5D70B", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "E5364365-36F1-49C0-BF8D-2D5054BC7B1D", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "0740684D-989A-4957-8AC1-AAB01A04E393", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "08C97202-6AEC-4B8D-B3F6-49F6AEF9CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "7EFA073A-9AC2-4162-9DDA-B6CD0AE53D3F", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "4F8FD4B3-D515-486A-94A3-29CBDA2E25CD", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "55E18631-9502-42CC-A85A-EA5742FDC317", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "4CCBC213-1524-4C88-9EB3-52E003070A3B", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "C928FB55-2F33-4458-8484-4010AE8883A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "5CEEFA5F-2B32-4CA0-84AD-E0ECA0F81078", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "4754B0A8-A7D7-41A1-BFE5-10D84E7CEC1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.3.1:rc.1:*:*:*:*:*:*", "matchCriteriaId": "5545EA7D-77F3-439B-B524-E126E38FC0EB", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.3.1:rc.2:*:*:*:*:*:*", "matchCriteriaId": "375D5E3C-4ED5-4BA2-868D-83DC64DA0293", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "D132104E-163C-47EE-B247-578D64AC88D4", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "4E208FB1-A772-4002-BD56-3360BDDFEF37", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.4.0:rc.1:*:*:*:*:*:*", "matchCriteriaId": "C357BFEF-5156-4254-97D9-0D9CE98505BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.4.0:rc.2:*:*:*:*:*:*", "matchCriteriaId": "8EC465B1-1FE1-4BCA-8754-C55B94947140", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.4.0:rc.3:*:*:*:*:*:*", "matchCriteriaId": "3E702637-0A91-4572-9932-529837214667", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.4.0:rc.4:*:*:*:*:*:*", "matchCriteriaId": "EBAD975C-7A68-48B3-83CE-6876D92B1A0D", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:4.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "14BE6C0B-E6EC-4CD2-912B-45DE9F94BA59", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:5.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "64F7E56E-CA65-47C3-9ADA-F13A834D3961", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:5.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "183A5888-01C5-4977-9C66-1467FFA6D457", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:5.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "F811E8BB-F1C8-43BE-BEAD-FC4FE122ABEF", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:5.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "FEDE8D29-7C15-44D1-8D5C-0E438D9DE029", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:5.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "0DCA3C10-FB37-4256-812A-EB8A3A095E6F", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:5.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "54197CC5-9C7D-4DCE-A60F-625DE246E5A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:5.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "6173A6E4-F472-46CF-9762-6F3CAAFD9C3B", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:5.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "B4C25A52-E3C0-4429-AB96-1E33523E51D9", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:5.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "590070D6-198A-456E-A55D-D0B06DD3FF8A", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:5.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "46FCC5E2-1106-4153-B8C6-5E9594735529", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:5.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "56778D45-8B99-406D-BE97-034D3A29F32E", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:5.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C0C7E2F2-8C41-4F3B-848A-144DCA30FC69", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:5.8.1:rc.1:*:*:*:*:*:*", "matchCriteriaId": "22969DF2-6A8A-4483-9EEF-65DEE6A945E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:5.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "11778EAE-5DCD-4D4E-807B-FD3C0DC47BE0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:5.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "4C203335-0CB9-4B38-80C1-344607FFAE29", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*", "matchCriteriaId": "06A529ED-154E-40BA-86B3-297613BBD237", "versionEndExcluding": "2.15.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*", "matchCriteriaId": "B884EB02-113D-4867-BC74-CEA49F19142F", "versionEndExcluding": "3.8.3", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers."}, {"lang": "es", "value": "La CLI en npm en versiones anteriores a 2.15.1 y 3.x en versiones anteriores a 3.8.3, tal como se utiliza en Node.js 0.10 en versiones anteriores a 0.10.44, 0.12 en versiones anteriores a 0.12.13, 4 en versiones anteriores a 4.4.2 y 5 en versiones anteriores a 5.10.0, incluye tokens portadores con peticiones arbitrarias, lo que permite a servidores HTTP remotos obtener informaci\u00f3n sensible leyendo cabeceras de autorizaci\u00f3n."}], "id": "CVE-2016-3956", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-07-02T14:59:19.417", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21980827"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/npm/npm/issues/8380"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21980827"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/npm/npm/issues/8380"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "npm: bearer token leak to non-registry hosts", "id": "1328413", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1328413"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "draft"}, "cwe": "CWE-201", "details": ["The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers."], "name": "CVE-2016-3956", "package_state": [{"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Will not fix", "package_name": "nodejs010-npm", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Not affected", "package_name": "rh-nodejs4-npm", "product_name": "Red Hat Software Collections"}], "public_date": "2016-03-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-3956\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-3956\nhttps://nodesecurity.io/advisories/98"], "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object