CVE-2024-27932 - Vulnerability Details - OpenCVE

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for `example[.]com` may be sent to `notexample[.]com`. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Deno	Deno

Configuration 1 [-]

cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89
https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b
https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr

History

Fri, 03 Jan 2025 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Deno Deno deno
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:deno:deno::::::::
Vendors & Products		Deno Deno deno

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-06T20:45:16.373Z

Updated: 2024-08-05T16:59:34.779Z

Reserved: 2024-02-28T15:14:14.216Z

Link: CVE-2024-27932

Vulnrichment

Updated: 2024-08-02T00:41:55.783Z

NVD

Status : Analyzed

Published: 2024-03-21T02:52:21.953

Modified: 2025-01-03T19:19:52.197

Link: CVE-2024-27932

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27932", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-28T15:14:14.216Z", "datePublished": "2024-03-06T20:45:16.373Z", "dateUpdated": "2024-08-05T16:59:34.779Z"}, "containers": {"cna": {"title": "Deno's improper suffix match testing for DENO_AUTH_TOKENS", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr"}, {"name": "https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b", "tags": ["x_refsource_MISC"], "url": "https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b"}, {"name": "https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89", "tags": ["x_refsource_MISC"], "url": "https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89"}], "affected": [{"vendor": "denoland", "product": "deno", "versions": [{"version": ">= 1.8.0, < 1.40.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-06T20:45:16.373Z"}, "descriptions": [{"lang": "en", "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for `example[.]com` may be sent to `notexample[.]com`. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue"}], "source": {"advisory": "GHSA-5frw-4rwq-xhcr", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:41:55.783Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr"}, {"name": "https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b"}, {"name": "https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89"}]}, {"affected": [{"vendor": "denoland", "product": "deno", "cpes": ["cpe:2.3:a:denoland:deno:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.8.0", "status": "affected", "lessThan": "1.40.4", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-05T16:57:53.068963Z", "id": "CVE-2024-27932", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-05T16:59:34.779Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr", "name": "https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b", "name": "https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89", "name": "https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:41:55.783Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27932", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-05T16:57:53.068963Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:denoland:deno:*:*:*:*:*:*:*:*"], "vendor": "denoland", "product": "deno", "versions": [{"status": "affected", "version": "1.8.0", "lessThan": "1.40.4", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-05T16:58:59.823Z"}}], "cna": {"title": "Deno's improper suffix match testing for DENO_AUTH_TOKENS", "source": {"advisory": "GHSA-5frw-4rwq-xhcr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "denoland", "product": "deno", "versions": [{"status": "affected", "version": ">= 1.8.0, < 1.40.4"}]}], "references": [{"url": "https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr", "name": "https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b", "name": "https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89", "name": "https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for `example[.]com` may be sent to `notexample[.]com`. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-06T20:45:16.373Z"}}}, "cveMetadata": {"cveId": "CVE-2024-27932", "state": "PUBLISHED", "dateUpdated": "2024-08-05T16:59:34.779Z", "dateReserved": "2024-02-28T15:14:14.216Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-06T20:45:16.373Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*", "matchCriteriaId": "848BE47F-134F-4489-BC2C-785B5B0C0AAB", "versionEndExcluding": "1.40.4", "versionStartIncluding": "1.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for `example[.]com` may be sent to `notexample[.]com`. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue"}, {"lang": "es", "value": "Deno es un tiempo de ejecuci\u00f3n de JavaScript, TypeScript y WebAssembly. A partir de la versi\u00f3n 1.8.0 y antes de la versi\u00f3n 1.40.4, Deno verifica incorrectamente que el nombre de host de un especificador de importaci\u00f3n sea igual o hijo del nombre de host de un token, lo que puede causar que los tokens se env\u00eden a servidores a los que no deber\u00edan enviarse. Un token de autenticaci\u00f3n destinado a `example[.]com` puede enviarse a `notexample[.]com`. Cualquiera que utilice DENO_AUTH_TOKENS e importe c\u00f3digo potencialmente no confiable se ver\u00e1 afectado. La versi\u00f3n 1.40.0 contiene un parche para este problema"}], "id": "CVE-2024-27932", "lastModified": "2025-01-03T19:19:52.197", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-21T02:52:21.953", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}