Deno improperly checks import specifier hostname
CVE-2024-27932

4.6MEDIUM

Key Information:

Vendor

Denoland

Status
Deno
Vendor
CVE Published:
21 March 2024

What is CVE-2024-27932?

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for example[.]com may be sent to notexample[.]com. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue

Affected Version(s)

deno >= 1.8.0, < 1.40.4

References

https://github.com/denoland/deno/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/denoland/deno/commit/de23e3b60b066481c...
x_refsource_MISC
https://github.com/denoland/deno/blob/3f4639c330a31741b0e...
x_refsource_MISC

CVSS V3.1

Score:
4.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.