CVE-2021-32619 — Improper Authorization in Deno

CWE-285 — Improper Authorization CWE-863 — Incorrect Authorization3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.4%

top 41.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Denoland Deno Deno

Timeline

PublishedMay 28

Latest updateSep 23

Description

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions 1.5.0 to 1.10.1, modules that are dynamically imported through `import()` or `new Worker` might have been able to bypass network and file system permission checks when statically importing other modules. The vulnerability has been patched in Deno release 1.10.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDdeno/deno1.5.0 — 1.10.2

▶crates.iodeno/deno1.5.0 — 1.10.2

▶CVEListV5denoland/deno< 1.10.2

🔴Vulnerability Details

OSV

Deno's static imports inside dynamically imported modules do not adhere to permission checks↗2021-09-23

▶

GHSA

Deno's static imports inside dynamically imported modules do not adhere to permission checks↗2021-09-23

▶