CVE-2024-37150 - OpenCVE

An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575
https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv
https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-06-06T15:28:14.216Z

Updated: 2024-08-02T03:50:54.672Z

Reserved: 2024-06-03T17:29:38.328Z

Link: CVE-2024-37150

Vulnrichment

Updated: 2024-08-02T03:50:54.672Z

NVD

Status : Awaiting Analysis

Published: 2024-06-06T16:15:12.890

Modified: 2024-06-07T14:56:05.647

Link: CVE-2024-37150

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37150", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-03T17:29:38.328Z", "datePublished": "2024-06-06T15:28:14.216Z", "dateUpdated": "2024-08-02T03:50:54.672Z"}, "containers": {"cna": {"title": "Private npm registry support used scope auth token for downloading tarballs", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv"}, {"name": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575", "tags": ["x_refsource_MISC"], "url": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575"}, {"name": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22", "tags": ["x_refsource_MISC"], "url": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22"}], "affected": [{"vendor": "denoland", "product": "deno", "versions": [{"version": "= 1.44.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-06T15:28:14.216Z"}, "descriptions": [{"lang": "en", "value": "An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials."}], "source": {"advisory": "GHSA-rfc6-h225-3vxv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-06T17:33:25.620412Z", "id": "CVE-2024-37150", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T17:33:35.582Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:50:54.672Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv"}, {"name": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575"}, {"name": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv", "name": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575", "name": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22", "name": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:50:54.672Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-37150", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-06T17:33:25.620412Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T17:33:31.165Z"}}], "cna": {"title": "Private npm registry support used scope auth token for downloading tarballs", "source": {"advisory": "GHSA-rfc6-h225-3vxv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "denoland", "product": "deno", "versions": [{"status": "affected", "version": "= 1.44.0"}]}], "references": [{"url": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv", "name": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575", "name": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22", "name": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-06T15:28:14.216Z"}}}, "cveMetadata": {"cveId": "CVE-2024-37150", "state": "PUBLISHED", "dateUpdated": "2024-08-02T03:50:54.672Z", "dateReserved": "2024-06-03T17:29:38.328Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-06T15:28:14.216Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en el soporte de `.npmrc` en Deno 1.44.0 donde Deno enviaba credenciales `.npmrc` para el alcance a la URL tarball cuando el registro proporcionaba URL para un tarball en un dominio diferente. Todos los usuarios que dependen de .npmrc se ven potencialmente afectados por esta vulnerabilidad si su registro privado hace referencia a URL tarball en un dominio diferente. Esto incluye el uso del subcomando deno install, la instalaci\u00f3n autom\u00e1tica para npm: especificadores y el uso de LSP. Se recomienda actualizar a Deno 1.44.1 y, si su registro privado alguna vez sirve archivos comprimidos en un dominio diferente, rotar sus credenciales de registro."}], "id": "CVE-2024-37150", "lastModified": "2024-06-07T14:56:05.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-06-06T16:15:12.890", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575"}, {"source": "security-advisories@github.com", "url": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv"}, {"source": "security-advisories@github.com", "url": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}