VDB
CVE-2024-37150
CVE-2024-37150
PUBLISHED
CVSS 7.599999904632568 HIGH
An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials.
EPSS 0.45% · 63.8th percentile
Risk Scores
CVSS v3.1
7.599999904632568
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
EPSS Score
0.45%
63.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| denoland | deno | = 1.44.0 |
| deno | deno | 1.44.0 |
Timeline
- Jan 21, 1970 Security Advisory
- Jun 6, 2024 CVE Published
- Jun 7, 2024 EPSS Score
- Jun 30, 2024 EPSS Score
- Jul 23, 2024 EPSS Score
- Aug 15, 2024 EPSS Score
- Sep 7, 2024 EPSS Score
- Oct 1, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
- Oct 24, 2024 EPSS Score
- Nov 16, 2024 EPSS Score
- Dec 10, 2024 EPSS Score