Deno 1.44.0 vulnerability affects .npmrc credentials
CVE-2024-37150

6.5MEDIUM

Key Information:

Vendor

Denoland

Status
Deno
Vendor
CVE Published:
6 June 2024

What is CVE-2024-37150?

An issue in .npmrc support in Deno 1.44.0 was discovered where Deno would send .npmrc credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials.

Affected Version(s)

deno = 1.44.0

References

https://github.com/denoland/deno/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/denoland/deno/commit/566adb7c0a0c0845e...
x_refsource_MISC
https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-a...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.