ghsa-838h-jqp6-cf2f
Vulnerability from github
Published
2022-03-29 22:10
Modified
2022-05-02 19:39
Severity ?
Summary
Sandbox bypass leading to arbitrary code execution in Deno
Details
Impact
The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass permission checks and execute arbitrary shell code.
There is no evidence that this vulnerability has been exploited in the wild.
This vulnerability does not affect users of Deno Deploy.
Patches
The vulnerability has been patched in Deno 1.20.3.
Workarounds
There is no workaround. All users are recommended to upgrade to 1.20.3 immediately
The cause of this error was that certain FFI operations did not correctly check for permissions. The issue was fixed in this pull request.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "deno"
},
"ranges": [
{
"events": [
{
"introduced": "1.18.0"
},
{
"fixed": "1.20.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24783"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-29T22:10:10Z",
"nvd_published_at": "2022-03-25T22:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nThe versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass permission checks and execute arbitrary shell code.\n\nThere is **no** evidence that this vulnerability has been exploited in the wild.\n\nThis vulnerability does **not** affect users of Deno Deploy.\n\n### Patches\n\nThe vulnerability has been patched in Deno 1.20.3.\n\n### Workarounds\n\nThere is no workaround. All users are recommended to upgrade to 1.20.3 immediately\n\n---\n\nThe cause of this error was that certain FFI operations did not correctly check for permissions. The issue was fixed in [this](https://github.com/denoland/deno/pull/14115) pull request.",
"id": "GHSA-838h-jqp6-cf2f",
"modified": "2022-05-02T19:39:05Z",
"published": "2022-03-29T22:10:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24783"
},
{
"type": "WEB",
"url": "https://github.com/denoland/deno/pull/14115"
},
{
"type": "WEB",
"url": "https://github.com/denoland/deno/commit/fcfce1bb869fddc629e6d889d6ba1328b80b0dcf"
},
{
"type": "PACKAGE",
"url": "https://github.com/denoland/deno"
},
{
"type": "WEB",
"url": "https://github.com/denoland/deno/compare/v1.20.2...v1.20.3"
},
{
"type": "WEB",
"url": "https://github.com/denoland/deno/releases/tag/v1.20.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Sandbox bypass leading to arbitrary code execution in Deno"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.