FKIE_CVE-2016-3956

Vulnerability from fkie_nvd - Published: 2016-07-02 14:59 - Updated: 2025-04-12 10:46
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.
References
cve@mitre.orghttp://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerabilityVendor Advisory
cve@mitre.orghttp://www-01.ibm.com/support/docview.wss?uid=swg21980827Vendor Advisory
cve@mitre.orghttps://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29Patch, Third Party Advisory
cve@mitre.orghttps://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401Patch, Third Party Advisory
cve@mitre.orghttps://github.com/npm/npm/issues/8380Third Party Advisory
cve@mitre.orghttps://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerabilityVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www-01.ibm.com/support/docview.wss?uid=swg21980827Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/npm/npm/issues/8380Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/Vendor Advisory
Impacted products
Vendor Product Version
ibm sdk *
ibm sdk *
ibm sdk *
nodejs node.js 0.10.0
nodejs node.js 0.10.1
nodejs node.js 0.10.2
nodejs node.js 0.10.3
nodejs node.js 0.10.4
nodejs node.js 0.10.5
nodejs node.js 0.10.6
nodejs node.js 0.10.7
nodejs node.js 0.10.8
nodejs node.js 0.10.9
nodejs node.js 0.10.10
nodejs node.js 0.10.11
nodejs node.js 0.10.12
nodejs node.js 0.10.13
nodejs node.js 0.10.14
nodejs node.js 0.10.15
nodejs node.js 0.10.16
nodejs node.js 0.10.16-isaacs-manual
nodejs node.js 0.10.17
nodejs node.js 0.10.18
nodejs node.js 0.10.19
nodejs node.js 0.10.20
nodejs node.js 0.10.21
nodejs node.js 0.10.22
nodejs node.js 0.10.23
nodejs node.js 0.10.24
nodejs node.js 0.10.25
nodejs node.js 0.10.26
nodejs node.js 0.10.27
nodejs node.js 0.10.28
nodejs node.js 0.10.29
nodejs node.js 0.10.30
nodejs node.js 0.10.31
nodejs node.js 0.10.32
nodejs node.js 0.10.33
nodejs node.js 0.10.34
nodejs node.js 0.10.35
nodejs node.js 0.10.36
nodejs node.js 0.10.37
nodejs node.js 0.10.38
nodejs node.js 0.10.39
nodejs node.js 0.10.40
nodejs node.js 0.10.41
nodejs node.js 0.12.0
nodejs node.js 0.12.1
nodejs node.js 0.12.2
nodejs node.js 0.12.3
nodejs node.js 0.12.4
nodejs node.js 0.12.5
nodejs node.js 0.12.6
nodejs node.js 0.12.7
nodejs node.js 0.12.8
nodejs node.js 0.12.9
nodejs node.js 4.0.0
nodejs node.js 4.1.0
nodejs node.js 4.1.1
nodejs node.js 4.1.2
nodejs node.js 4.2.0
nodejs node.js 4.2.1
nodejs node.js 4.2.2
nodejs node.js 4.2.3
nodejs node.js 4.2.4
nodejs node.js 4.2.5
nodejs node.js 4.2.6
nodejs node.js 4.3.0
nodejs node.js 4.3.1
nodejs node.js 4.3.1
nodejs node.js 4.3.1
nodejs node.js 4.3.2
nodejs node.js 4.4.0
nodejs node.js 4.4.0
nodejs node.js 4.4.0
nodejs node.js 4.4.0
nodejs node.js 4.4.0
nodejs node.js 4.4.1
nodejs node.js 5.0.0
nodejs node.js 5.1.0
nodejs node.js 5.1.1
nodejs node.js 5.2.0
nodejs node.js 5.3.0
nodejs node.js 5.4.0
nodejs node.js 5.4.1
nodejs node.js 5.5.0
nodejs node.js 5.6.0
nodejs node.js 5.7.0
nodejs node.js 5.7.1
nodejs node.js 5.8.0
nodejs node.js 5.8.1
nodejs node.js 5.9.0
nodejs node.js 5.9.1
npmjs npm *
npmjs npm *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ibm:sdk:*:*:*:*:*:nodejs:*:*",
              "matchCriteriaId": "F581B2CF-A05C-4ABB-9042-A34085A546D4",
              "versionEndIncluding": "1.1.0.20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:sdk:*:*:*:*:*:nodejs:*:*",
              "matchCriteriaId": "748ABD64-797B-422E-A456-0A97AD24F29B",
              "versionEndIncluding": "1.2.0.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ibm:sdk:*:*:*:*:*:nodejs:*:*",
              "matchCriteriaId": "3B824DD1-B652-47FF-B934-3C7A59DDF5DF",
              "versionEndIncluding": "4.4.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "BF2E637C-EA49-4DB6-B4D5-B4684A9549C6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "C1966CED-11A1-4328-A57E-308BE5E4CCD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "A9F46AD2-BB74-4391-8A4F-7BE49EF41F0D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "EC36E36A-9592-49DA-AACE-B3638FC55F4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "B98E9F42-08BC-49B5-90C8-AC3EA7960C45",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "ABA37EF5-DF97-467B-9A56-1611345387FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "5F0BD0C1-2294-4AFB-B4AE-C81576FB9AFF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "4057D560-81EE-49ED-888C-89560DBE3348",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "F87810E1-BDAD-455D-82E3-334CC102AB2E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "8BC00B3A-3C9D-4487-9686-775CBAA1CC42",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "7C0A4F5B-4546-414C-A209-07C27ED1C944",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "2515087F-B272-4B76-99F4-ACA0C2460046",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C7016DE-A3A5-450B-9FBD-2C98A07FF3C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "8C1848A7-E68E-4CB4-B73C-C5200ABAC9DD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "59F861AB-574A-41BF-8E2D-6440B35C2AA0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.15:*:*:*:*:*:*:*",
              "matchCriteriaId": "41C8CEF8-49E1-4CB0-837B-E85C76BF9DF5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.16:*:*:*:*:*:*:*",
              "matchCriteriaId": "8C7101A5-FDC9-4897-B8E8-6A07790D42A2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.16-isaacs-manual:*:*:*:*:*:*:*",
              "matchCriteriaId": "F7776F01-29AC-4161-9C91-C7392C6A356E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.17:*:*:*:*:*:*:*",
              "matchCriteriaId": "3CADD766-8328-4669-BE66-A4757D5FB471",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.18:*:*:*:*:*:*:*",
              "matchCriteriaId": "AD9792E9-2593-46B4-9633-E2F2DB11106B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.19:*:*:*:*:*:*:*",
              "matchCriteriaId": "FF209248-8921-419A-86EB-30E7095E4514",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.20:*:*:*:*:*:*:*",
              "matchCriteriaId": "2C0D6C34-E046-40BD-907D-0E2510C09A14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.21:*:*:*:*:*:*:*",
              "matchCriteriaId": "E5CBB83F-19AD-44BD-B7D4-19C1A8F80011",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.22:*:*:*:*:*:*:*",
              "matchCriteriaId": "D6E2EA97-156D-4870-8967-78E4ED6EF64F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.23:*:*:*:*:*:*:*",
              "matchCriteriaId": "54961BCA-8730-4B40-8385-41F6D65797F4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.24:*:*:*:*:*:*:*",
              "matchCriteriaId": "B22FA598-E613-4652-92CD-237F749D13DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.25:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4F321AF-FCC7-456D-AFE2-2CEF9CBAFCC1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.26:*:*:*:*:*:*:*",
              "matchCriteriaId": "18F2EC65-2A47-4C45-8D58-63D18443B767",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.27:*:*:*:*:*:*:*",
              "matchCriteriaId": "D0517A28-70F9-4947-BEF0-9CC645388BFA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.28:*:*:*:*:*:*:*",
              "matchCriteriaId": "C5DD5BBD-922E-4026-9DEC-98CF9411CE95",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.29:*:*:*:*:*:*:*",
              "matchCriteriaId": "63E078BA-8BDC-47EB-84B9-09B785FD1213",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.30:*:*:*:*:*:*:*",
              "matchCriteriaId": "4B9971A7-1C18-43C0-97BC-27096609EFC3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.31:*:*:*:*:*:*:*",
              "matchCriteriaId": "0EA5107B-4347-4D43-ADA6-141527A40333",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.32:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C679CFA-50D4-430B-B372-113CE236EACC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.33:*:*:*:*:*:*:*",
              "matchCriteriaId": "F7AA6FEE-C630-4545-BCCF-3C211461C6C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.34:*:*:*:*:*:*:*",
              "matchCriteriaId": "682E8A32-1F1E-4427-BAD8-58596F85F170",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.35:*:*:*:*:*:*:*",
              "matchCriteriaId": "C9827EF0-E340-4A75-9735-F20CDF09CA42",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.36:*:*:*:*:*:*:*",
              "matchCriteriaId": "E6C02C09-D738-45B1-BF6F-A4499E5F8D60",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.37:*:*:*:*:*:*:*",
              "matchCriteriaId": "EE85CACC-842F-46C7-966D-48E866055A5F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.38:*:*:*:*:*:*:*",
              "matchCriteriaId": "771BCA5F-B762-4569-AB46-08A13A4EFD5C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.39:*:*:*:*:*:*:*",
              "matchCriteriaId": "21E05024-3647-456D-A731-D19411FED2DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.40:*:*:*:*:*:*:*",
              "matchCriteriaId": "89929EB1-D723-496B-A7C6-4B4CD9C176B8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.10.41:*:*:*:*:*:*:*",
              "matchCriteriaId": "D3EA4652-EF0E-414C-AEB8-AEFE788B66A7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.12.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "BC9002F9-87C4-4C7F-9BD9-430EB15CD4BE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.12.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "21EF734D-9E6B-4E01-9AFE-C0B847D583A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.12.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "12606C39-6F39-4DDF-9B36-A160875B265F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.12.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "EC4D8789-33C3-498A-857D-CC6576732C31",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.12.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "466E8851-6BE7-4716-AB16-3E985411C35C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.12.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "E5C4DB21-F35A-4567-8B04-85DB3089CDF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.12.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "BA7E7436-117A-4F79-BA7A-2A0059BB9694",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.12.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "037511C2-3FA9-4A4C-996B-A1462C221DA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.12.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "65EEB1B9-2E75-46F4-B70C-94991D38B427",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:0.12.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "0E5C5750-10F3-45D7-AC9B-7EA06F4B3887",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0390D600-532D-4675-95BB-10EC4E06F3E0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "35AAF7CD-9AE6-4A4B-858E-4B17031BD058",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "5DCB6010-AC31-4B61-9DA6-E119ADC5D70B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "E5364365-36F1-49C0-BF8D-2D5054BC7B1D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0740684D-989A-4957-8AC1-AAB01A04E393",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "08C97202-6AEC-4B8D-B3F6-49F6AEF9CFD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "7EFA073A-9AC2-4162-9DDA-B6CD0AE53D3F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "4F8FD4B3-D515-486A-94A3-29CBDA2E25CD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "55E18631-9502-42CC-A85A-EA5742FDC317",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "4CCBC213-1524-4C88-9EB3-52E003070A3B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.2.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "C928FB55-2F33-4458-8484-4010AE8883A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5CEEFA5F-2B32-4CA0-84AD-E0ECA0F81078",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "4754B0A8-A7D7-41A1-BFE5-10D84E7CEC1E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.3.1:rc.1:*:*:*:*:*:*",
              "matchCriteriaId": "5545EA7D-77F3-439B-B524-E126E38FC0EB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.3.1:rc.2:*:*:*:*:*:*",
              "matchCriteriaId": "375D5E3C-4ED5-4BA2-868D-83DC64DA0293",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D132104E-163C-47EE-B247-578D64AC88D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4E208FB1-A772-4002-BD56-3360BDDFEF37",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.4.0:rc.1:*:*:*:*:*:*",
              "matchCriteriaId": "C357BFEF-5156-4254-97D9-0D9CE98505BB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.4.0:rc.2:*:*:*:*:*:*",
              "matchCriteriaId": "8EC465B1-1FE1-4BCA-8754-C55B94947140",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.4.0:rc.3:*:*:*:*:*:*",
              "matchCriteriaId": "3E702637-0A91-4572-9932-529837214667",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.4.0:rc.4:*:*:*:*:*:*",
              "matchCriteriaId": "EBAD975C-7A68-48B3-83CE-6876D92B1A0D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:4.4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "14BE6C0B-E6EC-4CD2-912B-45DE9F94BA59",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:5.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "64F7E56E-CA65-47C3-9ADA-F13A834D3961",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:5.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "183A5888-01C5-4977-9C66-1467FFA6D457",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:5.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F811E8BB-F1C8-43BE-BEAD-FC4FE122ABEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:5.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FEDE8D29-7C15-44D1-8D5C-0E438D9DE029",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:5.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0DCA3C10-FB37-4256-812A-EB8A3A095E6F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:5.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "54197CC5-9C7D-4DCE-A60F-625DE246E5A9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:5.4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "6173A6E4-F472-46CF-9762-6F3CAAFD9C3B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:5.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4C25A52-E3C0-4429-AB96-1E33523E51D9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:5.6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "590070D6-198A-456E-A55D-D0B06DD3FF8A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:5.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "46FCC5E2-1106-4153-B8C6-5E9594735529",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:5.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "56778D45-8B99-406D-BE97-034D3A29F32E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:5.8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C0C7E2F2-8C41-4F3B-848A-144DCA30FC69",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:5.8.1:rc.1:*:*:*:*:*:*",
              "matchCriteriaId": "22969DF2-6A8A-4483-9EEF-65DEE6A945E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:5.9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "11778EAE-5DCD-4D4E-807B-FD3C0DC47BE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:5.9.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C203335-0CB9-4B38-80C1-344607FFAE29",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "06A529ED-154E-40BA-86B3-297613BBD237",
              "versionEndExcluding": "2.15.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B884EB02-113D-4867-BC74-CEA49F19142F",
              "versionEndExcluding": "3.8.3",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers."
    },
    {
      "lang": "es",
      "value": "La CLI en npm en versiones anteriores a 2.15.1 y 3.x en versiones anteriores a 3.8.3, tal como se utiliza en Node.js 0.10 en versiones anteriores a 0.10.44, 0.12 en versiones anteriores a 0.12.13, 4 en versiones anteriores a 4.4.2 y 5 en versiones anteriores a 5.10.0, incluye tokens portadores con peticiones arbitrarias, lo que permite a servidores HTTP remotos obtener informaci\u00f3n sensible leyendo cabeceras de autorizaci\u00f3n."
    }
  ],
  "id": "CVE-2016-3956",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-07-02T14:59:19.417",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21980827"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/npm/npm/issues/8380"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21980827"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/npm/npm/issues/8380"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.