icon

We found results for “

CVE-2024-37150

Good to know:

icon

Date: June 6, 2024

An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials.

Language: RUST

Severity Score

Severity Score

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Use of Incorrectly-Resolved Name or Reference

CWE-706

Top Fix

icon

Upgrade Version

Upgrade to version deno - 1.44.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): LOW
Availability (A): LOW

Do you need more information?

Contact Us