CVE-2020-15095 (Medium) detected in npm-6.9.0.tgz - autoclosed

[mend-bolt-for-github[bot]]

CVE-2020-15095 - Medium Severity Vulnerability

Vulnerable Library - npm-6.9.0.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-6.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/package.json

Dependency Hierarchy: - semantic-release-15.14.0.tgz (Root Library) - npm-5.1.7.tgz - :x: **npm-6.9.0.tgz** (Vulnerable Library)

Found in HEAD commit: 9fcea6cad97d59393155a130bd746b21aa833b23

Found in base branch: develop

Vulnerability Details

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.

Publish Date: 2020-07-07

URL: CVE-2020-15095

CVSS 3 Score Details (4.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp

Release Date: 2020-07-07

Fix Resolution (npm): 6.14.6

Direct dependency fix Resolution (semantic-release): 16.0.0

---

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.