Bug 1328413 – CVE-2016-3956 npm: bearer token leak to non-registry hosts

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1328413 - (CVE-2016-3956) CVE-2016-3956 npm: bearer token leak to non-registry hosts

Summary:	CVE-2016-3956 npm: bearer token leak to non-registry hosts

Status:	CLOSED WONTFIX

Aliases:	CVE-2016-3956

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20160331,repor...
Keywords:	Security

Depends On:	1328415 1328414 1328416
Blocks:	1328418
	Show dependency tree / graph

Reported:	2016-04-19 06:51 EDT by Andrej Nemec
Modified:	2016-07-04 03:46 EDT (History)
CC List:	6 users (show)

See Also:
Fixed In Version:	npm 3.8.3, npm 2.15.1
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-04-27 05:33:26 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Andrej Nemec 2016-04-19 06:51:14 EDT

The primary npm registry has, since late 2014, used HTTP bearer tokens to authenticate requests from the npm command-line interface. Due to a design flaw in the CLI, these bearer tokens were sent with every request made by the CLI for logged-in users, regardless of the destination of the request. They should instead only be included for requests made against the registry or registries used for the current install.

This flaw allows an attacker to set up an HTTP server that could collect authentication information they could use to impersonate the users whose tokens they collected. This impersonation would allow them to do anything the compromised users could do, including publishing new versions of packages.

External references:

https://nodesecurity.io/advisories/98

Comment 1 Andrej Nemec 2016-04-19 06:51:55 EDT

Created npm tracking bugs for this issue:

Affects: fedora-all [bug 1328414]
Affects: epel-6 [bug 1328415]
Affects: epel-7 [bug 1328416]

Comment 2 Tomas Hoger 2016-04-26 09:07:29 EDT

Blog posts from npm and nodejs upstreams:

http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability
https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/

Upstream commits:

https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401 (2.15.1)
https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29 (3.8.3)

Upstream bug report:

https://github.com/npm/npm/issues/8380

Comment 3 Tomas Hoger 2016-04-27 05:33:26 EDT

This is only relevant to use cases where npm is used with authentication - private repos or workstations form which developers publish new package versions.  Common uses case when npm is used to install publicly available packages are not affected.

Comment 4 Andrej Nemec 2016-07-04 03:46:41 EDT

This issue has a CVE now:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3956

Note You need to log in before you can comment on or make changes to this bug.