{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37150", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-03T17:29:38.328Z", "datePublished": "2024-06-06T15:28:14.216Z", "dateUpdated": "2024-08-02T03:50:54.672Z"}, "containers": {"cna": {"title": "Private npm registry support used scope auth token for downloading tarballs", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv"}, {"name": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575", "tags": ["x_refsource_MISC"], "url": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575"}, {"name": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22", "tags": ["x_refsource_MISC"], "url": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22"}], "affected": [{"vendor": "denoland", "product": "deno", "versions": [{"version": "= 1.44.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-06T15:28:14.216Z"}, "descriptions": [{"lang": "en", "value": "An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials."}], "source": {"advisory": "GHSA-rfc6-h225-3vxv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-06T17:33:25.620412Z", "id": "CVE-2024-37150", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T17:33:35.582Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:50:54.672Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv"}, {"name": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575"}, {"name": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv", "name": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575", "name": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22", "name": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:50:54.672Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-37150", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-06T17:33:25.620412Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T17:33:31.165Z"}}], "cna": {"title": "Private npm registry support used scope auth token for downloading tarballs", "source": {"advisory": "GHSA-rfc6-h225-3vxv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "denoland", "product": "deno", "versions": [{"status": "affected", "version": "= 1.44.0"}]}], "references": [{"url": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv", "name": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575", "name": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22", "name": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-06T15:28:14.216Z"}}}, "cveMetadata": {"cveId": "CVE-2024-37150", "state": "PUBLISHED", "dateUpdated": "2024-08-02T03:50:54.672Z", "dateReserved": "2024-06-03T17:29:38.328Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-06T15:28:14.216Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deno:deno:1.44.0:*:*:*:*:*:*:*", "matchCriteriaId": "B213C620-6FA3-4EFB-A648-CC44099579CD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en el soporte de `.npmrc` en Deno 1.44.0 donde Deno enviaba credenciales `.npmrc` para el alcance a la URL tarball cuando el registro proporcionaba URL para un tarball en un dominio diferente. Todos los usuarios que dependen de .npmrc se ven potencialmente afectados por esta vulnerabilidad si su registro privado hace referencia a URL tarball en un dominio diferente. Esto incluye el uso del subcomando deno install, la instalaci\u00f3n autom\u00e1tica para npm: especificadores y el uso de LSP. Se recomienda actualizar a Deno 1.44.1 y, si su registro privado alguna vez sirve archivos comprimidos en un dominio diferente, rotar sus credenciales de registro."}], "id": "CVE-2024-37150", "lastModified": "2024-11-21T09:23:18.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-06T16:15:12.890", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv"}, {"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Not Applicable"], "url": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-706"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}