Lucene search

GoogleOSV:GHSA-5FRW-4RWQ-XHCR

HistoryMar 06, 2024 - 5:03 p.m.

Deno's improper suffix match testing for DENO_AUTH_TOKENS

2024-03-0617:03:36

Google

osv.dev

deno

security

import

tokens

hostname

vulnerability

code

4.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

Summary

Deno improperly checks that an import specifier’s hostname is equal to or a child of a token’s hostname, which can cause tokens to be sent to servers they shouldn’t be sent to. An auth token intended for example.com may be sent to notexample.com.

Details

auth_tokens.rs uses a simple ends_with check, which matches www.deno.land to a deno.land token as intended, but also matches im-in-ur-servers-attacking-ur-deno.land to deno.land tokens.

PoC

Set up a server that logs requests. RequestBin will do. For example, denovulnpoc.example.com.
Run [email protected] deno run https://not-a-left-truncated.domain. For example, [email protected] deno run https://denovulnpoc.example.com
Observe that the token intended only for the truncated domain is sent to the full domain

Impact

What kind of vulnerability is it? Who is impacted?
Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected.

CPENameOperatorVersion
denoge1.8.0
denolt1.40.4

CPE	Name	Operator	Version
	deno	ge	1.8.0
	deno	lt	1.40.4

References

github.com/denoland/deno

github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89

github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b

github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr

nvd.nist.gov/vuln/detail/CVE-2024-27932