CVE-2024-27931Improper Input Validation in Deno

CWE-20Improper Input Validation3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 55.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Denoland DenoDeno
Timeline
PublishedMar 5

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. This is fixed in Deno 1.41.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

NVDdeno/deno< 1.41.1
crates.iodeno/deno< 1.41.1
CVEListV5denoland/deno< 1.41.1

🔴Vulnerability Details

2
OSV
Insufficient permission checking in `Deno.makeTemp*` APIs2024-03-05
GHSA
Insufficient permission checking in `Deno.makeTemp*` APIs2024-03-05