CVE-2022-24783 — Improper Privilege Management in Deno

CWE-269 — Improper Privilege Management CWE-863 — Incorrect Authorization3 documents3 sources

Severity

10.0CRITICALNVD

EPSS

0.4%

top 41.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Deno Denoland Deno

Timeline

PublishedMar 25

Latest updateMar 29

Description

Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell code. This vulnerability does not affect users of Deno Deploy. The vulnerability has been patched in Deno 1.20.3. There is no workaround. All users are recommended to upgrade to 1.20.3 immediately.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages3 packages

▶NVDdeno/deno1.18.0 — 1.20.3

▶crates.iodeno/deno1.18.0 — 1.20.3

▶CVEListV5denoland/deno>= 1.18.0, < 1.20.3

🔴Vulnerability Details

OSV

Sandbox bypass leading to arbitrary code execution in Deno↗2022-03-29

▶

GHSA

Sandbox bypass leading to arbitrary code execution in Deno↗2022-03-29

▶