CGA-j38x-72p8-x773

Published

Last updated

https://images.chainguard.dev/security/CGA-j38x-72p8-x773

Package

gitlab-rails-ee-17.7

Latest Update

Not affected

Aliases

CVE-2016-3956
GHSA-m5h6-hr3q-22h5

Summary

npm Token Leak in npm

Description

Affected versions of the npm package include the bearer token of the logged in user in every request made by the CLI, even if the request is not directed towards the user's active registry.

An attacker could create an HTTP server to collect tokens, and by various means including but not limited to install scripts, cause the npm CLI to make a request to that server, which would compromise the user's token.

This compromised token could be used to do anything that the user could do, including publishing new packages.

Recommendation

Update npm with npm install npm@latest -g
Revoke your Tokens
Enable Two-Factor Authentication

References

https://nvd.nist.gov/vuln/detail/CVE-2016-3956
https://github.com/advisories/GHSA-m5h6-hr3q-22h5
https://github.com/npm/npm/issues/8380
https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29
https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401
https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016
https://www.npmjs.com/advisories/98
http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability
http://www-01.ibm.com/support/docview.wss?uid=swg21980827

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CGA-j38x-72p8-x773

Summary

Description

Recommendation

References

Updates

Product

Why Chainguard

Customers

Company

Resources