All the vulnerabilites related to denoland - deno
cve-2023-28446
Vulnerability from cvelistv5
Published
2023-03-24 19:46
Modified
2024-08-02 12:38
Severity ?
EPSS score ?
Summary
Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a `op_spawn_child` or `op_kill` prompt and replace it with any desired text. This works with any command on the respective platform, giving the program the full ability to choose what program they wanted to run. This problem can not be exploited on systems that do not attach an interactive prompt (for example headless servers). This issue has been patched in version 1.31.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/denoland/deno/security/advisories/GHSA-vq67-rp93-65qf | x_refsource_CONFIRM | |
| https://github.com/denoland/deno/blob/7d13d65468c37022f003bb680dfbddd07ea72173/runtime/js/40_process.js#L175 | x_refsource_MISC | |
| https://github.com/denoland/deno/releases/tag/v1.31.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:38:25.379Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-vq67-rp93-65qf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-vq67-rp93-65qf"
},
{
"name": "https://github.com/denoland/deno/blob/7d13d65468c37022f003bb680dfbddd07ea72173/runtime/js/40_process.js#L175",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/blob/7d13d65468c37022f003bb680dfbddd07ea72173/runtime/js/40_process.js#L175"
},
{
"name": "https://github.com/denoland/deno/releases/tag/v1.31.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/releases/tag/v1.31.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.8.0, \u003c 1.31.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a `op_spawn_child` or `op_kill` prompt and replace it with any desired text. This works with any command on the respective platform, giving the program the full ability to choose what program they wanted to run. This problem can not be exploited on systems that do not attach an interactive prompt (for example headless servers). This issue has been patched in version 1.31.2.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-24T19:46:28.641Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-vq67-rp93-65qf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-vq67-rp93-65qf"
},
{
"name": "https://github.com/denoland/deno/blob/7d13d65468c37022f003bb680dfbddd07ea72173/runtime/js/40_process.js#L175",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/blob/7d13d65468c37022f003bb680dfbddd07ea72173/runtime/js/40_process.js#L175"
},
{
"name": "https://github.com/denoland/deno/releases/tag/v1.31.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/releases/tag/v1.31.2"
}
],
"source": {
"advisory": "GHSA-vq67-rp93-65qf",
"discovery": "UNKNOWN"
},
"title": "Deno is vulnerable to interactive `run` permission prompt spoofing via improper ANSI neutralization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28446",
"datePublished": "2023-03-24T19:46:28.641Z",
"dateReserved": "2023-03-15T15:59:10.057Z",
"dateUpdated": "2024-08-02T12:38:25.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33966
Vulnerability from cvelistv5
Published
2023-05-31 17:15
Modified
2024-08-02 15:54
Severity ?
EPSS score ?
Summary
Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying on these built-in modules are subject to the vulnerability too. Users of Deno versions prior to 1.34.0 are unaffected. Deno Deploy users are unaffected. This problem has been patched in Deno v1.34.1 and deno_runtime 0.114.1 and all users are recommended to update to this version. No workaround is available for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2f | x_refsource_CONFIRM | |
| https://github.com/denoland/deno/releases/tag/v1.34.1 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:14.202Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2f",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2f"
},
{
"name": "https://github.com/denoland/deno/releases/tag/v1.34.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/releases/tag/v1.34.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "deno = 1.34.0"
},
{
"status": "affected",
"version": "deno_runtime = 0.114.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying on these built-in modules are subject to the vulnerability too. Users of Deno versions prior to 1.34.0 are unaffected. Deno Deploy users are unaffected. This problem has been patched in Deno v1.34.1 and deno_runtime 0.114.1 and all users are recommended to update to this version. No workaround is available for this issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-31T17:15:13.791Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2f"
},
{
"name": "https://github.com/denoland/deno/releases/tag/v1.34.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/releases/tag/v1.34.1"
}
],
"source": {
"advisory": "GHSA-vc52-gwm3-8v2f",
"discovery": "UNKNOWN"
},
"title": "Deno missing \"--allow-net\" permission check for built-in Node modules"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33966",
"datePublished": "2023-05-31T17:15:13.791Z",
"dateReserved": "2023-05-24T13:46:35.953Z",
"dateUpdated": "2024-08-02T15:54:14.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-27934
Vulnerability from cvelistv5
Published
2024-03-06 20:56
Modified
2024-08-02 19:24
Severity ?
EPSS score ?
Summary
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.36.2 and prior to version 1.40.3, use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, resulting in arbitrary code execution. Use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, which is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions. This bug is known to be exploitable for both `*const c_void` and `ExternalPointer` implementations. Version 1.40.3 fixes this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/denoland/deno/security/advisories/GHSA-3j27-563v-28wf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:41:55.960Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-3j27-563v-28wf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-3j27-563v-28wf"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:deno:deno:1.36.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "deno",
"vendor": "deno",
"versions": [
{
"lessThan": "1.40.3",
"status": "affected",
"version": "1.36.2",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27934",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T19:23:28.021479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T19:24:42.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.36.2, \u003c 1.40.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.36.2 and prior to version 1.40.3, use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, resulting in arbitrary code execution. Use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, which is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions. This bug is known to be exploitable for both `*const c_void` and `ExternalPointer` implementations. Version 1.40.3 fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-06T20:56:39.368Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-3j27-563v-28wf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-3j27-563v-28wf"
}
],
"source": {
"advisory": "GHSA-3j27-563v-28wf",
"discovery": "UNKNOWN"
},
"title": "*const c_void / ExternalPointer unsoundness leading to use-after-free"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27934",
"datePublished": "2024-03-06T20:56:39.368Z",
"dateReserved": "2024-02-28T15:14:14.216Z",
"dateUpdated": "2024-08-02T19:24:42.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-27933
Vulnerability from cvelistv5
Published
2024-03-06 20:52
Modified
2024-08-02 19:55
Severity ?
EPSS score ?
Summary
Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together.
Use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. This is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions.
This bug is known to be exploitable. There is a working exploit that achieves arbitrary code execution by bypassing prompts from zero permissions, additionally abusing the fact that Cache API lacks filesystem permission checks. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs.
Version 1.39.1 fixes the bug.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:41:55.828Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq"
},
{
"name": "https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b"
},
{
"name": "https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392"
},
{
"name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214"
},
{
"name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220"
},
{
"name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225"
},
{
"name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241"
},
{
"name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256"
},
{
"name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265"
},
{
"name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:denoland:deno:1.39.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "1.39.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27933",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T19:54:07.494367Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T19:55:09.948Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "= 1.39.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together.\n\nUse of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. This is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions.\n\nThis bug is known to be exploitable. There is a working exploit that achieves arbitrary code execution by bypassing prompts from zero permissions, additionally abusing the fact that Cache API lacks filesystem permission checks. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs.\n\nVersion 1.39.1 fixes the bug.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-06T20:52:17.599Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq"
},
{
"name": "https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b"
},
{
"name": "https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392"
},
{
"name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214"
},
{
"name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220"
},
{
"name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225"
},
{
"name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241"
},
{
"name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256"
},
{
"name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265"
},
{
"name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99"
}
],
"source": {
"advisory": "GHSA-6q4w-9x56-rmwq",
"discovery": "UNKNOWN"
},
"title": "Deno arbitrary file descriptor close via `op_node_ipc_pipe()` leading to permission prompt bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27933",
"datePublished": "2024-03-06T20:52:17.599Z",
"dateReserved": "2024-02-28T15:14:14.216Z",
"dateUpdated": "2024-08-02T19:55:09.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-32468
Vulnerability from cvelistv5
Published
2024-11-25 18:44
Modified
2024-11-25 19:26
Severity ?
EPSS score ?
Summary
Deno is a runtime for JavaScript and TypeScript written in rust. Several cross-site scripting vulnerabilities existed in the `deno_doc` crate which lead to Self-XSS with deno doc --html. 1.) XSS in generated `search_index.js`, `deno_doc` outputs a JavaScript file for searching. However, the generated file used `innerHTML` on unsanitzed HTML input. 2.) XSS via property, method and enum names, `deno_doc` did not sanitize property names, method names and enum names. The first XSS most likely didn't have an impact since `deno doc --html` is expected to be used locally with own packages.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32468",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-25T19:17:51.270461Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-25T19:26:26.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "deno_doc: \u003c 0.119.0"
},
{
"status": "affected",
"version": "deno: \u003c 1.42.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a runtime for JavaScript and TypeScript written in rust. Several cross-site scripting vulnerabilities existed in the `deno_doc` crate which lead to Self-XSS with deno doc --html. 1.) XSS in generated `search_index.js`, `deno_doc` outputs a JavaScript file for searching. However, the generated file used `innerHTML` on unsanitzed HTML input. 2.) XSS via property, method and enum names, `deno_doc` did not sanitize property names, method names and enum names. The first XSS most likely didn\u0027t have an impact since `deno doc --html` is expected to be used locally with own packages."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-25T18:44:27.785Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-qqwr-j9mm-fhw6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-qqwr-j9mm-fhw6"
},
{
"name": "https://github.com/denoland/deno_doc/blob/dc556c848831d7ae48f3eff2ababc6e75eb6b73e/src/html/templates/pages/search.js#L120-L144",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno_doc/blob/dc556c848831d7ae48f3eff2ababc6e75eb6b73e/src/html/templates/pages/search.js#L120-L144"
}
],
"source": {
"advisory": "GHSA-qqwr-j9mm-fhw6",
"discovery": "UNKNOWN"
},
"title": "Improper neutralization of input during web page generation (\"Cross-site Scripting\") in deno_doc HTML generator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32468",
"datePublished": "2024-11-25T18:44:27.785Z",
"dateReserved": "2024-04-12T19:41:51.166Z",
"dateUpdated": "2024-11-25T19:26:26.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-27932
Vulnerability from cvelistv5
Published
2024-03-06 20:45
Modified
2024-08-05 16:59
Severity ?
EPSS score ?
Summary
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for `example[.]com` may be sent to `notexample[.]com`. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:41:55.783Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr"
},
{
"name": "https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b"
},
{
"name": "https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:denoland:deno:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "deno",
"vendor": "denoland",
"versions": [
{
"lessThan": "1.40.4",
"status": "affected",
"version": "1.8.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27932",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T16:57:53.068963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T16:59:34.779Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.8.0, \u003c 1.40.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier\u0027s hostname is equal to or a child of a token\u0027s hostname, which can cause tokens to be sent to servers they shouldn\u0027t be sent to. An auth token intended for `example[.]com` may be sent to `notexample[.]com`. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-06T20:45:16.373Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr"
},
{
"name": "https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b"
},
{
"name": "https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89"
}
],
"source": {
"advisory": "GHSA-5frw-4rwq-xhcr",
"discovery": "UNKNOWN"
},
"title": "Deno\u0027s improper suffix match testing for DENO_AUTH_TOKENS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27932",
"datePublished": "2024-03-06T20:45:16.373Z",
"dateReserved": "2024-02-28T15:14:14.216Z",
"dateUpdated": "2024-08-05T16:59:34.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-32477
Vulnerability from cvelistv5
Published
2024-04-18 19:58
Modified
2024-08-02 02:13
Severity ?
EPSS score ?
Summary
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. By using ANSI escape sequences and a race between `libc::tcflush(0, libc::TCIFLUSH)` and reading standard input, it's possible to manipulate the permission prompt and force it to allow an unsafe action regardless of the user input. Some ANSI escape sequences act as a info request to the master terminal emulator and the terminal emulator sends back the reply in the PTY channel. standard streams also use this channel to send and get data. For example the `\033[6n` sequence requests the current cursor position. These sequences allow us to append data to the standard input of Deno. This vulnerability allows an attacker to bypass Deno permission policy. This vulnerability is fixed in 1.42.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/denoland/deno/security/advisories/GHSA-95cj-3hr2-7j5j | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:deno:deno:1.42.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "deno",
"vendor": "deno",
"versions": [
{
"status": "affected",
"version": "1.42.2"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32477",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T20:24:47.591795Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:50:38.033Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:39.109Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-95cj-3hr2-7j5j",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-95cj-3hr2-7j5j"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "\u003c 1.42.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. By using ANSI escape sequences and a race between `libc::tcflush(0, libc::TCIFLUSH)` and reading standard input, it\u0027s possible to manipulate the permission prompt and force it to allow an unsafe action regardless of the user input. Some ANSI escape sequences act as a info request to the master terminal emulator and the terminal emulator sends back the reply in the PTY channel. standard streams also use this channel to send and get data. For example the `\\033[6n` sequence requests the current cursor position. These sequences allow us to append data to the standard input of Deno. This vulnerability allows an attacker to bypass Deno permission policy. This vulnerability is fixed in 1.42.2.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-18T19:58:25.993Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-95cj-3hr2-7j5j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-95cj-3hr2-7j5j"
}
],
"source": {
"advisory": "GHSA-95cj-3hr2-7j5j",
"discovery": "UNKNOWN"
},
"title": "Race condition when flushing input stream leads to permission prompt bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32477",
"datePublished": "2024-04-18T19:58:25.993Z",
"dateReserved": "2024-04-12T19:41:51.168Z",
"dateUpdated": "2024-08-02T02:13:39.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-27931
Vulnerability from cvelistv5
Published
2024-03-05 16:43
Modified
2024-08-02 00:41
Severity ?
EPSS score ?
Summary
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. This is fixed in Deno 1.41.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "deno",
"vendor": "deno",
"versions": [
{
"lessThan": "1.41.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27931",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T14:01:30.921102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T17:52:12.034Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:41:55.851Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "\u003c 1.41.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. This is fixed in Deno 1.41.1.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-05T16:43:11.934Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh"
}
],
"source": {
"advisory": "GHSA-hrqr-jv8w-v9jh",
"discovery": "UNKNOWN"
},
"title": "Insufficient permission checking in `Deno.makeTemp*` APIs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27931",
"datePublished": "2024-03-05T16:43:11.934Z",
"dateReserved": "2024-02-28T15:14:14.216Z",
"dateUpdated": "2024-08-02T00:41:55.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-27935
Vulnerability from cvelistv5
Published
2024-03-06 21:02
Modified
2024-08-02 20:12
Severity ?
EPSS score ?
Summary
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp | x_refsource_CONFIRM | |
| https://github.com/denoland/deno/issues/20188 | x_refsource_MISC | |
| https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:41:55.847Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp"
},
{
"name": "https://github.com/denoland/deno/issues/20188",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/issues/20188"
},
{
"name": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:denoland:deno:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "deno",
"vendor": "denoland",
"versions": [
{
"lessThanOrEqual": "1.36.3",
"status": "affected",
"version": "1.35.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27935",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T20:04:17.278451Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T20:12:42.832Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.35.1, \u003c 1.36.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno\u0027s Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-488",
"description": "CWE-488: Exposure of Data Element to Wrong Session",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-06T21:02:14.359Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp"
},
{
"name": "https://github.com/denoland/deno/issues/20188",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/issues/20188"
},
{
"name": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6"
}
],
"source": {
"advisory": "GHSA-wrqv-pf6j-mqjp",
"discovery": "UNKNOWN"
},
"title": "Deno\u0027s Node.js Compatibility Runtime has Cross-Session Data Contamination"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27935",
"datePublished": "2024-03-06T21:02:14.359Z",
"dateReserved": "2024-02-28T15:14:14.216Z",
"dateUpdated": "2024-08-02T20:12:42.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-28445
Vulnerability from cvelistv5
Published
2023-03-23 23:23
Modified
2024-08-02 12:38
Severity ?
EPSS score ?
Summary
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy users are not affected. The problem has been resolved by disabling resizable ArrayBuffers temporarily in Deno 1.32.1. Deno 1.32.2 will re-enable resizable ArrayBuffers with a proper fix. As a workaround, run with `--v8-flags=--no-harmony-rab-gsab` to disable resizable ArrayBuffers.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx | x_refsource_CONFIRM | |
| https://github.com/denoland/deno/pull/18395 | x_refsource_MISC | |
| https://github.com/denoland/deno/releases/tag/v1.32.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:38:25.372Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx"
},
{
"name": "https://github.com/denoland/deno/pull/18395",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/pull/18395"
},
{
"name": "https://github.com/denoland/deno/releases/tag/v1.32.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/releases/tag/v1.32.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "= 1.32.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy users are not affected. The problem has been resolved by disabling resizable ArrayBuffers temporarily in Deno 1.32.1. Deno 1.32.2 will re-enable resizable ArrayBuffers with a proper fix. As a workaround, run with `--v8-flags=--no-harmony-rab-gsab` to disable resizable ArrayBuffers."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-23T23:23:27.931Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx"
},
{
"name": "https://github.com/denoland/deno/pull/18395",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/pull/18395"
},
{
"name": "https://github.com/denoland/deno/releases/tag/v1.32.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/releases/tag/v1.32.1"
}
],
"source": {
"advisory": "GHSA-c25x-cm9x-qqgx",
"discovery": "UNKNOWN"
},
"title": "Deno improperly handles resizable ArrayBuffer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28445",
"datePublished": "2023-03-23T23:23:27.931Z",
"dateReserved": "2023-03-15T15:59:10.056Z",
"dateUpdated": "2024-08-02T12:38:25.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-27936
Vulnerability from cvelistv5
Published
2024-03-06 21:05
Modified
2024-08-02 00:41
Severity ?
EPSS score ?
Summary
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41.0 of the deno library contains a patch for the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw | x_refsource_CONFIRM | |
| https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d | x_refsource_MISC | |
| https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "deno",
"vendor": "deno",
"versions": [
{
"lessThan": "1.41.0",
"status": "affected",
"version": "1.32.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27936",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T20:24:15.593823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T20:26:36.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:41:55.809Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw"
},
{
"name": "https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d"
},
{
"name": "https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.32.1, \u003c 1.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41.0 of the deno library contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T12:42:08.776Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw"
},
{
"name": "https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d"
},
{
"name": "https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5"
}
],
"source": {
"advisory": "GHSA-m4pq-fv2w-6hrw",
"discovery": "UNKNOWN"
},
"title": "Deno interactive permission prompt spoofing via improper ANSI stripping"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27936",
"datePublished": "2024-03-06T21:05:59.251Z",
"dateReserved": "2024-02-28T15:14:14.217Z",
"dateUpdated": "2024-08-02T00:41:55.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24783
Vulnerability from cvelistv5
Published
2022-03-25 21:15
Modified
2024-08-03 04:20
Severity ?
EPSS score ?
Summary
Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell code. This vulnerability does not affect users of Deno Deploy. The vulnerability has been patched in Deno 1.20.3. There is no workaround. All users are recommended to upgrade to 1.20.3 immediately.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.18.0, \u003c 1.20.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell code. This vulnerability does not affect users of Deno Deploy. The vulnerability has been patched in Deno 1.20.3. There is no workaround. All users are recommended to upgrade to 1.20.3 immediately."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-25T21:15:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f"
}
],
"source": {
"advisory": "GHSA-838h-jqp6-cf2f",
"discovery": "UNKNOWN"
},
"title": "Sandbox bypass leading to arbitrary code execution in Deno",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24783",
"STATE": "PUBLIC",
"TITLE": "Sandbox bypass leading to arbitrary code execution in Deno"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "deno",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.18.0, \u003c 1.20.3"
}
]
}
}
]
},
"vendor_name": "denoland"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell code. This vulnerability does not affect users of Deno Deploy. The vulnerability has been patched in Deno 1.20.3. There is no workaround. All users are recommended to upgrade to 1.20.3 immediately."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-269: Improper Privilege Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f",
"refsource": "CONFIRM",
"url": "https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f"
}
]
},
"source": {
"advisory": "GHSA-838h-jqp6-cf2f",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24783",
"datePublished": "2022-03-25T21:15:12",
"dateReserved": "2022-02-10T00:00:00",
"dateUpdated": "2024-08-03T04:20:50.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-34346
Vulnerability from cvelistv5
Published
2024-05-07 21:02
Modified
2024-08-02 02:51
Severity ?
EPSS score ?
Summary
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. The Deno sandbox may be unexpectedly weakened by allowing file read/write access to privileged files in various locations on Unix and Windows platforms. For example, reading `/proc/self/environ` may provide access equivalent to `--allow-env`, and writing `/proc/self/mem` may provide access equivalent to `--allow-all`. Users who grant read and write access to the entire filesystem may not realize that these access to these files may have additional, unintended consequences. The documentation did not reflect that this practice should be undertaken to increase the strength of the security sandbox. Users who run code with `--allow-read` or `--allow-write` may unexpectedly end up granting additional permissions via file-system operations. Deno 1.43 and above require explicit `--allow-all` access to read or write `/etc`, `/dev` on unix platform (as well as `/proc` and `/sys` on linux platforms), and any path starting with `\\` on Windows.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/denoland/deno/security/advisories/GHSA-23rx-c3g5-hv9w | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "deno",
"vendor": "deno",
"versions": [
{
"lessThan": "1.43.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34346",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-14T16:16:40.968446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T18:25:43.423Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:51:11.237Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-23rx-c3g5-hv9w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-23rx-c3g5-hv9w"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "\u003c 1.43.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. The Deno sandbox may be unexpectedly weakened by allowing file read/write access to privileged files in various locations on Unix and Windows platforms. For example, reading `/proc/self/environ` may provide access equivalent to `--allow-env`, and writing `/proc/self/mem` may provide access equivalent to `--allow-all`. Users who grant read and write access to the entire filesystem may not realize that these access to these files may have additional, unintended consequences. The documentation did not reflect that this practice should be undertaken to increase the strength of the security sandbox. Users who run code with `--allow-read` or `--allow-write` may unexpectedly end up granting additional permissions via file-system operations. Deno 1.43 and above require explicit `--allow-all` access to read or write `/etc`, `/dev` on unix platform (as well as `/proc` and `/sys` on linux platforms), and any path starting with `\\\\` on Windows.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-07T21:02:16.809Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-23rx-c3g5-hv9w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-23rx-c3g5-hv9w"
}
],
"source": {
"advisory": "GHSA-23rx-c3g5-hv9w",
"discovery": "UNKNOWN"
},
"title": "Deno contains a permission escalation via open of privileged files with missing `--deny` flag"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34346",
"datePublished": "2024-05-07T21:02:16.809Z",
"dateReserved": "2024-05-02T06:36:32.437Z",
"dateUpdated": "2024-08-02T02:51:11.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-32619
Vulnerability from cvelistv5
Published
2021-05-28 21:00
Modified
2024-08-03 23:25
Severity ?
EPSS score ?
Summary
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions 1.5.0 to 1.10.1, modules that are dynamically imported through `import()` or `new Worker` might have been able to bypass network and file system permission checks when statically importing other modules. The vulnerability has been patched in Deno release 1.10.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/denoland/deno/security/advisories/GHSA-xpwj-7v8q-mcgj | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:30.920Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-xpwj-7v8q-mcgj"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions 1.5.0 to 1.10.1, modules that are dynamically imported through `import()` or `new Worker` might have been able to bypass network and file system permission checks when statically importing other modules. The vulnerability has been patched in Deno release 1.10.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-28T21:00:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-xpwj-7v8q-mcgj"
}
],
"source": {
"advisory": "GHSA-xpwj-7v8q-mcgj",
"discovery": "UNKNOWN"
},
"title": "Static imports inside dynamically imported modules do not adhere to permission checks",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32619",
"STATE": "PUBLIC",
"TITLE": "Static imports inside dynamically imported modules do not adhere to permission checks"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "deno",
"version": {
"version_data": [
{
"version_value": "\u003c 1.10.2"
}
]
}
}
]
},
"vendor_name": "denoland"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions 1.5.0 to 1.10.1, modules that are dynamically imported through `import()` or `new Worker` might have been able to bypass network and file system permission checks when statically importing other modules. The vulnerability has been patched in Deno release 1.10.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285: Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-xpwj-7v8q-mcgj",
"refsource": "CONFIRM",
"url": "https://github.com/denoland/deno/security/advisories/GHSA-xpwj-7v8q-mcgj"
}
]
},
"source": {
"advisory": "GHSA-xpwj-7v8q-mcgj",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32619",
"datePublished": "2021-05-28T21:00:12",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:30.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-22499
Vulnerability from cvelistv5
Published
2023-01-17 20:23
Modified
2024-08-02 10:13
Severity ?
EPSS score ?
Summary
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Multi-threaded programs were able to spoof interactive permission prompt by rewriting the prompt to suggest that program is waiting on user confirmation to unrelated action. A malicious program could clear the terminal screen after permission prompt was shown and write a generic message. This situation impacts users who use Web Worker API and relied on interactive permission prompt. The reproduction is very timing sensitive and can’t be reliably reproduced on every try. This problem can not be exploited on systems that do not attach an interactive prompt (for example headless servers). The problem has been fixed in Deno v1.29.3; it is recommended all users update to this version. Users are advised to upgrade. Users unable to upgrade may run with --no-prompt flag to disable interactive permission prompts.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/denoland/deno/security/advisories/GHSA-mc52-jpm2-cqh6 | x_refsource_CONFIRM | |
| https://github.com/denoland/deno/pull/17392 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.492Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-mc52-jpm2-cqh6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-mc52-jpm2-cqh6"
},
{
"name": "https://github.com/denoland/deno/pull/17392",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/pull/17392"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.9, \u003c 1.29.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Multi-threaded programs were able to spoof interactive permission prompt by rewriting the prompt to suggest that program is waiting on user confirmation to unrelated action. A malicious program could clear the terminal screen after permission prompt was shown and write a generic message. This situation impacts users who use Web Worker API and relied on interactive permission prompt. The reproduction is very timing sensitive and can\u2019t be reliably reproduced on every try. This problem can not be exploited on systems that do not attach an interactive prompt (for example headless servers). The problem has been fixed in Deno v1.29.3; it is recommended all users update to this version. Users are advised to upgrade. Users unable to upgrade may run with --no-prompt flag to disable interactive permission prompts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-17T20:23:20.515Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-mc52-jpm2-cqh6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-mc52-jpm2-cqh6"
},
{
"name": "https://github.com/denoland/deno/pull/17392",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/pull/17392"
}
],
"source": {
"advisory": "GHSA-mc52-jpm2-cqh6",
"discovery": "UNKNOWN"
},
"title": "Interactive permission prompt spoofing in Deno"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22499",
"datePublished": "2023-01-17T20:23:20.515Z",
"dateReserved": "2022-12-29T17:41:28.091Z",
"dateUpdated": "2024-08-02T10:13:48.492Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-21620
Vulnerability from cvelistv5
Published
2025-01-06 22:26
Modified
2025-01-07 16:49
Severity ?
EPSS score ?
Summary
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-21620",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T16:48:58.089267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:49:19.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno\u0027sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T22:26:40.723Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6"
}
],
"source": {
"advisory": "GHSA-f27p-cmv8-xhm6",
"discovery": "UNKNOWN"
},
"title": "Deno\u0027s authorization headers not dropped when redirecting cross-origin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-21620",
"datePublished": "2025-01-06T22:26:40.723Z",
"dateReserved": "2024-12-29T03:00:24.714Z",
"dateUpdated": "2025-01-07T16:49:19.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-37150
Vulnerability from cvelistv5
Published
2024-06-06 15:28
Modified
2024-08-02 03:50
Severity ?
EPSS score ?
Summary
An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv | x_refsource_CONFIRM | |
| https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575 | x_refsource_MISC | |
| https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-06T17:33:25.620412Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T17:33:35.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:54.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv"
},
{
"name": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575"
},
{
"name": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "= 1.44.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T15:28:14.216Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv"
},
{
"name": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575"
},
{
"name": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22"
}
],
"source": {
"advisory": "GHSA-rfc6-h225-3vxv",
"discovery": "UNKNOWN"
},
"title": "Private npm registry support used scope auth token for downloading tarballs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37150",
"datePublished": "2024-06-06T15:28:14.216Z",
"dateReserved": "2024-06-03T17:29:38.328Z",
"dateUpdated": "2024-08-02T03:50:54.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}