Vulnerability CVE-2016-3956 - CERT Civis.Net

Vulnerability Name:

CVE-2016-3956 (CCN-112153)

Assigned:

2016-03-31

Published:

2016-03-31

Updated:

2021-06-15

Summary:

The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

9.1 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
7.9 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

9.4 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: CCN
Type: The npm Blog, March 31, 2016 (3:54 pm)
fixing a bearer token vulnerability

Source: CONFIRM
Type: Vendor Advisory
http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability

Source: MITRE
Type: CNA
CVE-2016-3956

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21980827

Source: CCN
Type: IBM Security Bulletin N1021324 (i)
Vulnerabilities in Node.js affect IBM i

Source: CCN
Type: IBM Security Bulletin 1981433 (SDK for Node.js for Bluemix)
Current Releases of IBM SDK for Node.js in IBM Bluemix are affected by CVE-2016-3956, CVE-2016-2515 and CVE-2016-2537.

Source: CCN
Type: IBM Security Bulletin 1986144 (API Connect)
Multiple vulnerabilities in NPM affects IBM API Connect (CVE-2016-3956, CVE-2016-2537, CVE-2016-2515)

Source: XF
Type: UNKNOWN
npm-cve20163956-info-disc(112153)

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401

Source: CONFIRM
Type: Third Party Advisory
https://github.com/npm/npm/issues/8380

Source: CCN
Type: Node.js Web site
npm security updates v2.15.1 and v3.8.3

Source: CONFIRM
Type: Vendor Advisory
https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016/

Source: CCN
Type: IBM Security Bulletin 1980827 (SDK for Node.js)
Current Releases of IBM SDK for Node.js are affected by CVE-2016-3956

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:sdk:*:*:*:*:*:nodejs:*:* (Version <= 1.2.0.10)

OR cpe:/a:ibm:sdk:*:*:*:*:*:nodejs:*:* (Version <= 4.4.1.0)

OR cpe:/a:ibm:sdk:*:*:*:*:*:nodejs:*:* (Version <= 1.1.0.20)

Configuration 2:

cpe:/a:nodejs:node.js:5.6.0:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.4.0:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.3.2:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.3.1:rc.2:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:5.2.0:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:5.1.0:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.2.1:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.1.2:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.12.8:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.12.6:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.9:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.7:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.38:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.36:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.31:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.3:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.23:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.21:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.16:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.14:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.1:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.4.0:rc.4:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.4.0:rc.3:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.4.0:rc.2:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.4.0:rc.1:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:5.0.0:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.2.6:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.2.5:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.2.4:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.2.3:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.12.4:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.12.3:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.12.2:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.12.1:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.35:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.34:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.33:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.32:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.2:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.19:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.18:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.17:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:5.9.1:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:5.9.0:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:5.8.1:rc.1:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:5.8.0:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:5.7.1:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.3.0:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:5.5.0:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:5.4.1:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:5.4.0:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.1.1:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.1.0:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.0.0:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.12.9:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.5:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.41:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.40:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.4:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.28:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.27:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.26:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.25:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.13:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.12:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.11:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.10:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:5.7.0:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.4.1:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.3.1:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.3.1:rc.1:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:5.3.0:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:5.1.1:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.2.2:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:4.2.0:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.12.7:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.12.5:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.12.0:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.8:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.6:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.39:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.37:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.30:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.29:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.24:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.22:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.20:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.16-isaacs-manual:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.15:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:0.10.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:npmjs:npm:*:*:*:*:*:*:*:* (Version < 2.15.1)

OR cpe:/a:npmjs:npm:*:*:*:*:*:*:*:* (Version >= 3.0.0 and < 3.8.3)

Configuration CCN 1:

cpe:/a:npm:npm:2.15.0:*:*:*:*:*:*:*

OR cpe:/a:npm:npm:3.8.2:*:*:*:*:*:*:*

AND

cpe:/o:ibm:i:7.1:*:*:*:*:*:*:*

OR cpe:/o:ibm:i:7.2:*:*:*:*:*:*:*

OR cpe:/o:ibm:i:7.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:api_connect:5.0.1.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.bionic:def:201639560000000	V	CVE-2016-3956 on Ubuntu 18.04 LTS (bionic) - medium.	2016-07-02
oval:com.ubuntu.artful:def:20163956000	V	CVE-2016-3956 on Ubuntu 17.10 (artful) - medium.	2016-07-02
oval:com.ubuntu.trusty:def:20163956000	V	CVE-2016-3956 on Ubuntu 14.04 LTS (trusty) - medium.	2016-07-02
oval:com.ubuntu.xenial:def:201639560000000	V	CVE-2016-3956 on Ubuntu 16.04 LTS (xenial) - medium.	2016-07-02
oval:com.ubuntu.bionic:def:20163956000	V	CVE-2016-3956 on Ubuntu 18.04 LTS (bionic) - medium.	2016-07-02
oval:com.ubuntu.xenial:def:20163956000	V	CVE-2016-3956 on Ubuntu 16.04 LTS (xenial) - medium.	2016-07-02
oval:com.ubuntu.disco:def:201639560000000	V	CVE-2016-3956 on Ubuntu 19.04 (disco) - medium.	2016-07-02
oval:com.ubuntu.cosmic:def:20163956000	V	CVE-2016-3956 on Ubuntu 18.10 (cosmic) - medium.	2016-07-02
oval:com.ubuntu.cosmic:def:201639560000000	V	CVE-2016-3956 on Ubuntu 18.10 (cosmic) - medium.	2016-07-02
oval:com.ubuntu.precise:def:20163956000	V	CVE-2016-3956 on Ubuntu 12.04 LTS (precise) - medium.	2016-07-02