Bug 1856875 (CVE-2020-15095) - CVE-2020-15095 npm: sensitive information exposure through logs
Summary: CVE-2020-15095 npm: sensitive information exposure through logs
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-15095
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1856876 1857056 2037502 2092766 2092893 1856877 1857054 1857055 1857057 1887948 1887949 1888291 1916691 1917863 2091691
Blocks: 1856878
TreeView+ depends on / blocked
 
Reported: 2020-07-14 15:48 UTC by Michael Kaplan
Modified: 2022-06-02 13:50 UTC (History)
24 users (show)

Fixed In Version: npm 6.14.6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-19 20:21:24 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4272 0 None None None 2020-10-19 07:47:47 UTC
Red Hat Product Errata RHSA-2020:4903 0 None None None 2020-11-04 12:32:20 UTC
Red Hat Product Errata RHSA-2020:5086 0 None None None 2020-11-11 13:35:20 UTC
Red Hat Product Errata RHSA-2021:0521 0 None None None 2021-02-15 18:26:17 UTC
Red Hat Product Errata RHSA-2021:0548 0 None None None 2021-02-16 14:31:30 UTC

Description Michael Kaplan 2020-07-14 15:48:56 UTC
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.

References:

https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07
https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc
https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp

Comment 1 Michael Kaplan 2020-07-14 15:49:21 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1856876]
Affects: fedora-all [bug 1856877]

Comment 3 Todd Cullum 2020-07-15 01:47:36 UTC
Flaw summary:

NPM supports the ability to install packages from a hosted git provider[1] in the format:

`<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>[#<commit-ish> | #semver:<semver>]`

As shown, a user could provide a password here. If the user does provide a password, it will be stored in the npm debug logs on the machine (default location $HOME/.npm/_logs/), which poses a security risk of an unauthorized person or group able to view the password in the logs. The patch avoids saving the password to the logs.

NOTE: Using the above command format with a password provided in the terminal will still likely save the password to the terminal log e.g. bash history and is discouraged. Omitting the password from the URL command will create a prompt instead, and the password will be excluded from the terminal logs.

1. https://docs.npmjs.com/cli/install

Comment 5 Todd Cullum 2020-07-15 02:14:14 UTC
Mitigation:

Do not provide a password to npm via the cli to avoid it from being entered into the logs and stdout, or use ssh instead.

Comment 15 errata-xmlrpc 2020-10-19 07:47:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4272 https://access.redhat.com/errata/RHSA-2020:4272

Comment 16 Product Security DevOps Team 2020-10-19 20:21:24 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15095

Comment 18 errata-xmlrpc 2020-11-04 12:32:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:4903 https://access.redhat.com/errata/RHSA-2020:4903

Comment 21 errata-xmlrpc 2020-11-11 13:35:19 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:5086 https://access.redhat.com/errata/RHSA-2020:5086

Comment 22 errata-xmlrpc 2021-02-15 18:26:15 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:0521 https://access.redhat.com/errata/RHSA-2021:0521

Comment 23 errata-xmlrpc 2021-02-16 14:31:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0548 https://access.redhat.com/errata/RHSA-2021:0548


Note You need to log in before you can comment on or make changes to this bug.