CVE-2022-0355 Exposure of Sensitive Information to an Unauthorized Actor in NPM simple-get prior to 4.0.1.

In the past, if a user attempted to use simple-get on a sensitive piece of information and the information was not part of any approved cloud app, the information was automatically marked as “not allowed” for that app. In NPM 4.0.1, this automatic blocking is no longer active. You must now enable the sensitive information for a given app by setting the value of the app’s “configured sensitivity” field to “authorized.” There are two ways to do this. The first is to go to the “config” page of the app and enable the sensitive information. The second way is to change the value of the “configured sensitivity” field to “authorized” in the app’s “config” page.

Configuration Changes

In order to update the sensitivity of an app, you must first obtain the app’s “config” page. Go to https://www.npmjs.com/package/

Overview of Configured Sensitivity Fields

The “configured sensitivity” field is a Boolean value that specifies whether or not the information can be accessed by the app. The following values are possible:
- "authorized"
- "not allowed"
- "private"
To ensure that the new functionality, you must have NPM 4.0.1 or later installed on your system. For instructions on how to install NPM 4.0.1, see this article: https://docs.npmjs.com/getting-started/installing-modules#installation
If you have an older version of NPM installed, you will need to update it first in order to take advantage of these changes. To do this, simply run npm update -g and follow the prompts for updating your local installation of npm (this command will also update any global packages on your machine).

Configured Sensitivity fields

The configured sensitivity field is a security field that determines the level of access granted to an app. The easiest way to find this value is by going to your app’s configuration page (you can find your app’s configuration page from the console command “show config --configured-sensitivity”), or you can go to the Security tab in your app’s settings.

How to enable sensitive information for an app

Navigate to the app’s config page (https://www.npmjs.com/config) and change the value of the "configured sensitivity" field from "not_allowed" to "authorized."

Configuring Sensitive Information: The Old Way

If you have an app that is configured to use sensitive information, and the sensitive information is not enabled in the “config” page, you cannot enable it. If a user tries to use simple-get on this type of app and their request returns with an error message, they will be notified that “the operation was not allowed by the app.”

Timeline

Published on: 01/26/2022 04:15:00 UTC
Last modified on: 02/01/2022 19:40:00 UTC

References

• https://github.com/feross/simple-get/commit/e4af095e06cd69a9235013e8507e220a79b9684f
• https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0355