ghsa-hrqr-jv8w-v9jh
Vulnerability from github
Published
2024-03-05 16:19
Modified
2024-03-05 20:30
Severity ?
5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Summary
Insufficient permission checking in `Deno.makeTemp*` APIs
Details

Impact

Insufficient validation of parameters in Deno.makeTemp* APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems.

A user may provide a prefix or suffix to a Deno.makeTemp* API containing path traversal characters. The permission check would prompt for the base directory of the API, but the final file that was created would be outside of this directory:

``` $ mkdir /tmp/good $ mkdir /tmp/bad $ deno repl --allow-write=/tmp/good

Deno.makeTempFileSync({ dir: "/tmp/bad" }) ┌ ⚠️ Deno requests write access to "/tmp/bad". ├ Requested by Deno.makeTempFile() API. ├ Run again with --allow-write to bypass this prompt. └ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all write permissions) > n ❌ Denied write access to "/tmp/bad". Uncaught PermissionDenied: Requires write access to "/tmp/bad", run again with the --allow-write flag at Object.makeTempFileSync (ext:deno_fs/30_fs.js:176:10) at :1:27 Deno.makeTempFileSync({ dir: "/tmp/good", prefix: "../bad/" }) "/tmp/good/../bad/a9432ef5" $ ls -l /tmp/bad/a9432ef5 -rw-------@ 1 user group 0 Mar 4 09:20 /tmp/bad/a9432ef5 ```

Patches

This is fixed in Deno 1.41.1.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "deno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.41.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-27931"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-05T16:19:44Z",
    "nvd_published_at": "2024-03-05T17:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nInsufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems.\n\nA user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. The permission check would prompt for the base directory of the API, but the final file that was created would be outside of this directory:\n\n```\n$ mkdir /tmp/good\n$ mkdir /tmp/bad\n$ deno repl --allow-write=/tmp/good\n\u003e Deno.makeTempFileSync({ dir: \"/tmp/bad\" })\n\u250c \u26a0\ufe0f  Deno requests write access to \"/tmp/bad\".\n\u251c Requested by `Deno.makeTempFile()` API.\n\u251c Run again with --allow-write to bypass this prompt.\n\u2514 Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all write permissions) \u003e n\n\u274c Denied write access to \"/tmp/bad\".\nUncaught PermissionDenied: Requires write access to \"/tmp/bad\", run again with the --allow-write flag\n    at Object.makeTempFileSync (ext:deno_fs/30_fs.js:176:10)\n    at \u003canonymous\u003e:1:27\n\u003e Deno.makeTempFileSync({ dir: \"/tmp/good\", prefix: \"../bad/\" })\n\"/tmp/good/../bad/a9432ef5\"\n$ ls -l /tmp/bad/a9432ef5\n-rw-------@ 1 user  group  0 Mar  4 09:20 /tmp/bad/a9432ef5\n```\n\n### Patches\n\nThis is fixed in Deno 1.41.1.\n\n",
  "id": "GHSA-hrqr-jv8w-v9jh",
  "modified": "2024-03-05T20:30:03Z",
  "published": "2024-03-05T16:19:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27931"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/denoland/deno"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient permission checking in `Deno.makeTemp*` APIs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.