Home > Vulnerability Database > CVE-2024-37150

Mend.io Vulnerability Database

CVE-2024-37150

Date: June 6, 2024

An issue in ".npmrc" support in Deno 1.44.0 was discovered where Deno would send ".npmrc" credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials.

Language: RUST

Severity Score

7.6

Related Resources (5)

Url: https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-37150

Url: https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv

Url: https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575

Url: https://www.mend.io/vulnerability-database/CVE-2024-37150

Severity Score

7.6

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Use of Incorrectly-Resolved Name or Reference

CWE-706

CVSS v3.1

Base Score:	7.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-37150

Date: June 6, 2024

Language: RUST

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?