Vulnerabilites related to deno - deno_runtime
Vulnerability from fkie_nvd
Published
2023-05-31 18:15
Modified
2024-11-21 08:06
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying on these built-in modules are subject to the vulnerability too. Users of Deno versions prior to 1.34.0 are unaffected. Deno Deploy users are unaffected. This problem has been patched in Deno v1.34.1 and deno_runtime 0.114.1 and all users are recommended to update to this version. No workaround is available for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| deno | deno | 1.34.0 | |
| deno | deno_runtime | 0.114.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:deno:deno:1.34.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B7E67CC3-3EA3-429B-9C41-BB8AF9EFFF2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:deno:deno_runtime:0.114.0:*:*:*:*:rust:*:*",
"matchCriteriaId": "0194D26C-BFC4-46B7-A264-E78B30D47A7B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying on these built-in modules are subject to the vulnerability too. Users of Deno versions prior to 1.34.0 are unaffected. Deno Deploy users are unaffected. This problem has been patched in Deno v1.34.1 and deno_runtime 0.114.1 and all users are recommended to update to this version. No workaround is available for this issue.\n"
}
],
"id": "CVE-2023-33966",
"lastModified": "2024-11-21T08:06:18.630",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-31T18:15:09.527",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/denoland/deno/releases/tag/v1.34.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/denoland/deno/releases/tag/v1.34.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2f"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-24 00:15
Modified
2024-11-21 07:55
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy users are not affected. The problem has been resolved by disabling resizable ArrayBuffers temporarily in Deno 1.32.1. Deno 1.32.2 will re-enable resizable ArrayBuffers with a proper fix. As a workaround, run with `--v8-flags=--no-harmony-rab-gsab` to disable resizable ArrayBuffers.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/denoland/deno/pull/18395 | Patch, Vendor Advisory | |
| security-advisories@github.com | https://github.com/denoland/deno/releases/tag/v1.32.1 | Patch, Release Notes | |
| security-advisories@github.com | https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/denoland/deno/pull/18395 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/denoland/deno/releases/tag/v1.32.1 | Patch, Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx | Mitigation, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:deno:deno:1.32.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BE8A38DE-3D64-41AE-A44A-B4E3EFCE97B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:deno:deno_runtime:0.102.0:*:*:*:*:rust:*:*",
"matchCriteriaId": "078A97CE-CC80-48D7-B07B-2ACCC0C6A808",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:deno:serde_v8:0.87.0:*:*:*:*:rust:*:*",
"matchCriteriaId": "01AE0210-6362-4A33-B3BE-E7F7D81BA923",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy users are not affected. The problem has been resolved by disabling resizable ArrayBuffers temporarily in Deno 1.32.1. Deno 1.32.2 will re-enable resizable ArrayBuffers with a proper fix. As a workaround, run with `--v8-flags=--no-harmony-rab-gsab` to disable resizable ArrayBuffers."
}
],
"id": "CVE-2023-28445",
"lastModified": "2024-11-21T07:55:05.587",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-24T00:15:15.653",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/denoland/deno/pull/18395"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Release Notes"
],
"url": "https://github.com/denoland/deno/releases/tag/v1.32.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/denoland/deno/pull/18395"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes"
],
"url": "https://github.com/denoland/deno/releases/tag/v1.32.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-125"
},
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-21 02:52
Modified
2025-01-03 19:27
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Summary
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41.0 of the deno library contains a patch for the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| deno | deno | * | |
| deno | deno_runtime | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9CA87604-33E8-4CAE-B495-A1CA54375989",
"versionEndExcluding": "1.41.0",
"versionStartIncluding": "1.32.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:deno:deno_runtime:*:*:*:*:*:rust:*:*",
"matchCriteriaId": "96B2F540-1D61-413F-A71F-2B95C6FB5149",
"versionEndExcluding": "0.147.0",
"versionStartIncluding": "0.103.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41.0 of the deno library contains a patch for the issue."
},
{
"lang": "es",
"value": "Deno es un tiempo de ejecuci\u00f3n de JavaScript, TypeScript y WebAssembly con valores predeterminados seguros. A partir de la versi\u00f3n 1.32.1 y antes de la versi\u00f3n 1.41 de la librer\u00eda deno_runtime, la solicitud de permiso creada con fines malintencionados puede mostrar el mensaje de permiso falsificado insertando una secuencia de escape ANSI rota en el contenido de la solicitud. Deno est\u00e1 eliminando cualquier secuencia de escape ANSI del mensaje de permiso, pero los permisos otorgados al programa se basan en los contenidos que contienen las secuencias de escape ANSI. Cualquier programa Deno puede falsificar el contenido del mensaje de permiso interactivo insertando un c\u00f3digo ANSI roto, lo que permite que un programa Deno malicioso muestre la ruta del archivo o el nombre del programa incorrecto al usuario. La versi\u00f3n 1.41 de la librer\u00eda deno_runtime contiene un parche para el problema."
}
],
"id": "CVE-2024-27936",
"lastModified": "2025-01-03T19:27:46.510",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-21T02:52:22.813",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-150"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2024-27936
Vulnerability from cvelistv5
Published
2024-03-06 21:05
Modified
2024-08-02 00:41
Severity ?
EPSS score ?
Summary
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41.0 of the deno library contains a patch for the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw | x_refsource_CONFIRM | |
| https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d | x_refsource_MISC | |
| https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "deno",
"vendor": "deno",
"versions": [
{
"lessThan": "1.41.0",
"status": "affected",
"version": "1.32.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27936",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T20:24:15.593823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T20:26:36.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:41:55.809Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw"
},
{
"name": "https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d"
},
{
"name": "https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.32.1, \u003c 1.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41.0 of the deno library contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T12:42:08.776Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw"
},
{
"name": "https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d"
},
{
"name": "https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5"
}
],
"source": {
"advisory": "GHSA-m4pq-fv2w-6hrw",
"discovery": "UNKNOWN"
},
"title": "Deno interactive permission prompt spoofing via improper ANSI stripping"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27936",
"datePublished": "2024-03-06T21:05:59.251Z",
"dateReserved": "2024-02-28T15:14:14.217Z",
"dateUpdated": "2024-08-02T00:41:55.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33966
Vulnerability from cvelistv5
Published
2023-05-31 17:15
Modified
2025-01-09 20:24
Severity ?
EPSS score ?
Summary
Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying on these built-in modules are subject to the vulnerability too. Users of Deno versions prior to 1.34.0 are unaffected. Deno Deploy users are unaffected. This problem has been patched in Deno v1.34.1 and deno_runtime 0.114.1 and all users are recommended to update to this version. No workaround is available for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2f | x_refsource_CONFIRM | |
| https://github.com/denoland/deno/releases/tag/v1.34.1 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:14.202Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2f",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2f"
},
{
"name": "https://github.com/denoland/deno/releases/tag/v1.34.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/releases/tag/v1.34.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33966",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T20:23:20.829088Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T20:24:06.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "deno = 1.34.0"
},
{
"status": "affected",
"version": "deno_runtime = 0.114.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying on these built-in modules are subject to the vulnerability too. Users of Deno versions prior to 1.34.0 are unaffected. Deno Deploy users are unaffected. This problem has been patched in Deno v1.34.1 and deno_runtime 0.114.1 and all users are recommended to update to this version. No workaround is available for this issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-31T17:15:13.791Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2f"
},
{
"name": "https://github.com/denoland/deno/releases/tag/v1.34.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/releases/tag/v1.34.1"
}
],
"source": {
"advisory": "GHSA-vc52-gwm3-8v2f",
"discovery": "UNKNOWN"
},
"title": "Deno missing \"--allow-net\" permission check for built-in Node modules"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33966",
"datePublished": "2023-05-31T17:15:13.791Z",
"dateReserved": "2023-05-24T13:46:35.953Z",
"dateUpdated": "2025-01-09T20:24:06.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-28445
Vulnerability from cvelistv5
Published
2023-03-23 23:23
Modified
2025-02-20 19:17
Severity ?
EPSS score ?
Summary
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy users are not affected. The problem has been resolved by disabling resizable ArrayBuffers temporarily in Deno 1.32.1. Deno 1.32.2 will re-enable resizable ArrayBuffers with a proper fix. As a workaround, run with `--v8-flags=--no-harmony-rab-gsab` to disable resizable ArrayBuffers.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx | x_refsource_CONFIRM | |
| https://github.com/denoland/deno/pull/18395 | x_refsource_MISC | |
| https://github.com/denoland/deno/releases/tag/v1.32.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:38:25.372Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx"
},
{
"name": "https://github.com/denoland/deno/pull/18395",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/pull/18395"
},
{
"name": "https://github.com/denoland/deno/releases/tag/v1.32.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/releases/tag/v1.32.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28445",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:14:04.708102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:17:12.688Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "= 1.32.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy users are not affected. The problem has been resolved by disabling resizable ArrayBuffers temporarily in Deno 1.32.1. Deno 1.32.2 will re-enable resizable ArrayBuffers with a proper fix. As a workaround, run with `--v8-flags=--no-harmony-rab-gsab` to disable resizable ArrayBuffers."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-23T23:23:27.931Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx"
},
{
"name": "https://github.com/denoland/deno/pull/18395",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/pull/18395"
},
{
"name": "https://github.com/denoland/deno/releases/tag/v1.32.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/releases/tag/v1.32.1"
}
],
"source": {
"advisory": "GHSA-c25x-cm9x-qqgx",
"discovery": "UNKNOWN"
},
"title": "Deno improperly handles resizable ArrayBuffer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28445",
"datePublished": "2023-03-23T23:23:27.931Z",
"dateReserved": "2023-03-15T15:59:10.056Z",
"dateUpdated": "2025-02-20T19:17:12.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}