VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-e2wc-na6c-c3cr

Essentials
Severities (33)
References (22)
Severity details (22)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-e2wc-na6c-c3cr
Aliases	CVE-2020-15095 GHSA-93f3-23rq-pjfp
Summary	npm CLI exposing sensitive information through logs Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like `<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>`. The password value is not redacted and is printed to stdout and also to any generated log files.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-532	Insertion of Sensitive Information into Log File
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1	4.4	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html
generic_textual	MODERATE	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html
cvssv3.1	4.4	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html
generic_textual	MODERATE	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html
cvssv3.1	4.4	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html
generic_textual	MODERATE	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html
cvssv3	4.4	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15095.json
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2020-15095
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2020-15095
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2020-15095
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2020-15095
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2020-15095
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2020-15095
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2020-15095
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2020-15095
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2020-15095
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2020-15095
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2020-15095
cvssv3.1	5.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-93f3-23rq-pjfp
cvssv3.1	4.4	https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07
generic_textual	MODERATE	https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07
cvssv3.1	4.4	https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc
generic_textual	MODERATE	https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc
cvssv3.1	4.4	https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp
cvssv3.1_qr	MODERATE	https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp
generic_textual	MODERATE	https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp
cvssv3.1	4.4	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6
generic_textual	MODERATE	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6
cvssv3.1	4.4	https://nvd.nist.gov/vuln/detail/CVE-2020-15095
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2020-15095
cvssv3.1	4.4	https://security.gentoo.org/glsa/202101-07
generic_textual	MODERATE	https://security.gentoo.org/glsa/202101-07

Reference id	Reference type	URL
		http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html
		http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html
		http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15095.json
		https://api.first.org/data/v1/epss?cve=CVE-2020-15095
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15095
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07
		https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc
		https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp
		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6
		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
		https://nvd.nist.gov/vuln/detail/CVE-2020-15095
		https://security.gentoo.org/glsa/202101-07
1856875		https://bugzilla.redhat.com/show_bug.cgi?id=1856875
964746		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964746
GHSA-93f3-23rq-pjfp		https://github.com/advisories/GHSA-93f3-23rq-pjfp
RHSA-2020:4272		https://access.redhat.com/errata/RHSA-2020:4272
RHSA-2020:4903		https://access.redhat.com/errata/RHSA-2020:4903
RHSA-2020:5086		https://access.redhat.com/errata/RHSA-2020:5086
RHSA-2021:0521		https://access.redhat.com/errata/RHSA-2021:0521
RHSA-2021:0548		https://access.redhat.com/errata/RHSA-2021:0548

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N Found at http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N Found at http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N Found at http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15095.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-15095

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N Found at https://security.gentoo.org/glsa/202101-07

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.27803
EPSS Score	0.001
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:00:22.553916+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-93f3-23rq-pjfp/GHSA-93f3-23rq-pjfp.json	38.0.0