CVE-2020-15095 (Medium) detected in npm-6.9.0.tgz - autoclosed

[mend-bolt-for-github]

CVE-2020-15095 - Medium Severity Vulnerability

Vulnerable Library - npm-6.9.0.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-6.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/package.json

Dependency Hierarchy:

• semantic-release-15.14.0.tgz (Root Library)
  • npm-5.1.7.tgz
    • ❌ npm-6.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 9fcea6cad97d59393155a130bd746b21aa833b23

Found in base branch: develop

Vulnerability Details

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.

Publish Date: 2020-07-07

URL: CVE-2020-15095

CVSS 3 Score Details (4.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-93f3-23rq-pjfp

Release Date: 2020-07-07

Fix Resolution (npm): 6.14.6

Direct dependency fix Resolution (semantic-release): 16.0.0

---

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.