Bug 1328413 (CVE-2016-3956)

Summary: CVE-2016-3956 npm: bearer token leak to non-registry hosts
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jorton, mmaslano, tchollingsworth, thrcka, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: npm 3.8.3, npm 2.15.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-27 09:33:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1328414, 1328415, 1328416    
Bug Blocks: 1328418    

Description Andrej Nemec 2016-04-19 10:51:14 UTC 
The primary npm registry has, since late 2014, used HTTP bearer tokens to authenticate requests from the npm command-line interface. Due to a design flaw in the CLI, these bearer tokens were sent with every request made by the CLI for logged-in users, regardless of the destination of the request. They should instead only be included for requests made against the registry or registries used for the current install.

This flaw allows an attacker to set up an HTTP server that could collect authentication information they could use to impersonate the users whose tokens they collected. This impersonation would allow them to do anything the compromised users could do, including publishing new versions of packages.

External references:

https://nodesecurity.io/advisories/98
Comment 1 Andrej Nemec 2016-04-19 10:51:55 UTC 
Created npm tracking bugs for this issue:

Affects: fedora-all [bug 1328414]
Affects: epel-6 [bug 1328415]
Affects: epel-7 [bug 1328416]
Comment 2 Tomas Hoger 2016-04-26 13:07:29 UTC 
Blog posts from npm and nodejs upstreams:

http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability
https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/

Upstream commits:

https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401 (2.15.1)
https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29 (3.8.3)

Upstream bug report:

https://github.com/npm/npm/issues/8380
Comment 3 Tomas Hoger 2016-04-27 09:33:26 UTC 
This is only relevant to use cases where npm is used with authentication - private repos or workstations form which developers publish new package versions.  Common uses case when npm is used to install publicly available packages are not affected.
Comment 4 Andrej Nemec 2016-07-04 07:46:41 UTC 
This issue has a CVE now:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3956