CVE-2024-37150

An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials.
Configurations

Configuration 1 (hide)

cpe:2.3:a:deno:deno:1.44.0:*:*:*:*:*:*:*

History

26 Sep 2024, 14:04

Type Values Removed Values Added
References () https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575 - () https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575 - Patch
References () https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv - () https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv - Vendor Advisory
References () https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22 - () https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22 - Not Applicable
CPE cpe:2.3:a:deno:deno:1.44.0:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 7.6
v2 : unknown
v3 : 6.5
First Time Deno deno
Deno
CWE CWE-706

07 Jun 2024, 14:56

Type Values Removed Values Added
Summary
  • (es) Se descubrió un problema en el soporte de `.npmrc` en Deno 1.44.0 donde Deno enviaba credenciales `.npmrc` para el alcance a la URL tarball cuando el registro proporcionaba URL para un tarball en un dominio diferente. Todos los usuarios que dependen de .npmrc se ven potencialmente afectados por esta vulnerabilidad si su registro privado hace referencia a URL tarball en un dominio diferente. Esto incluye el uso del subcomando deno install, la instalación automática para npm: especificadores y el uso de LSP. Se recomienda actualizar a Deno 1.44.1 y, si su registro privado alguna vez sirve archivos comprimidos en un dominio diferente, rotar sus credenciales de registro.

06 Jun 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-06 16:15

Updated : 2024-09-26 14:04


NVD link : CVE-2024-37150

Mitre link : CVE-2024-37150

CVE.ORG link : CVE-2024-37150


JSON object : View

Products Affected

deno

  • deno
CWE
CWE-706

Use of Incorrectly-Resolved Name or Reference

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor