CVE-2022-24783
published 2022-03-25CVE-2022-24783: Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a…
PriorityP262critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
1.10%
61.6th percentile
Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell code. This vulnerability does not affect users of Deno Deploy. The vulnerability has been patched in Deno 1.20.3. There is no workaround. All users are recommended to upgrade to 1.20.3 immediately.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| deno | deno | >= 1.18.0 < 1.20.3 | 1.20.3 |
| deno | deno | >= 1.18.0 < 1.20.3 | 1.20.3 |
| denoland | deno | — | — |
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Sandbox bypass leading to arbitrary code execution in Deno
osv·2022-03-29
CVE-2022-24783 [CRITICAL] Sandbox bypass leading to arbitrary code execution in Deno
Sandbox bypass leading to arbitrary code execution in Deno
### Impact
The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass permission checks and execute arbitrary shell code.
There is **no** evidence that this vulnerability has been exploited in the wild.
This vulnerability does **not** affect users of Deno Deploy.
### Patches
The vulnerability has been patched in Deno 1.20.3.
### Workarounds
There is no workaround. All users are recommended to upgrade to 1.20.3 immediately
---
The cause of this error was that certain FFI operations did not correctly check for permissions. The issue was fixed in [this](https://github.com/denoland/deno/pull/14115) pull req
GHSA
Sandbox bypass leading to arbitrary code execution in Deno
ghsa·2022-03-29
CVE-2022-24783 [CRITICAL] CWE-269 Sandbox bypass leading to arbitrary code execution in Deno
Sandbox bypass leading to arbitrary code execution in Deno
### Impact
The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass permission checks and execute arbitrary shell code.
There is **no** evidence that this vulnerability has been exploited in the wild.
This vulnerability does **not** affect users of Deno Deploy.
### Patches
The vulnerability has been patched in Deno 1.20.3.
### Workarounds
There is no workaround. All users are recommended to upgrade to 1.20.3 immediately
---
The cause of this error was that certain FFI operations did not correctly check for permissions. The issue was fixed in [this](https://github.com/denoland/deno/pull/14115) pull req
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-03-25
Published