cve-2024-37150
Vulnerability from cvelistv5
Published
2024-06-06 15:28
Modified
2024-08-02 03:50
Severity ?
EPSS score ?
Summary
An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-06T17:33:25.620412Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T17:33:35.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:54.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv"
},
{
"name": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575"
},
{
"name": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "= 1.44.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T15:28:14.216Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv"
},
{
"name": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575"
},
{
"name": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22"
}
],
"source": {
"advisory": "GHSA-rfc6-h225-3vxv",
"discovery": "UNKNOWN"
},
"title": "Private npm registry support used scope auth token for downloading tarballs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37150",
"datePublished": "2024-06-06T15:28:14.216Z",
"dateReserved": "2024-06-03T17:29:38.328Z",
"dateUpdated": "2024-08-02T03:50:54.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-37150\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-06-06T16:15:12.890\",\"lastModified\":\"2024-11-21T09:23:18.263\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 un problema en el soporte de `.npmrc` en Deno 1.44.0 donde Deno enviaba credenciales `.npmrc` para el alcance a la URL tarball cuando el registro proporcionaba URL para un tarball en un dominio diferente. Todos los usuarios que dependen de .npmrc se ven potencialmente afectados por esta vulnerabilidad si su registro privado hace referencia a URL tarball en un dominio diferente. Esto incluye el uso del subcomando deno install, la instalaci\u00f3n autom\u00e1tica para npm: especificadores y el uso de LSP. Se recomienda actualizar a Deno 1.44.1 y, si su registro privado alguna vez sirve archivos comprimidos en un dominio diferente, rotar sus credenciales de registro.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L\",\"baseScore\":7.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-706\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:deno:deno:1.44.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B213C620-6FA3-4EFB-A648-CC44099579CD\"}]}]}],\"references\":[{\"url\":\"https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Not Applicable\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.