CVE-2024-27933 — Incorrect Authorization in Deno
Severity
8.8HIGHNVD
EPSS
0.0%
top 94.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
Latest updateMar 6
PublishedMar 21
Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, …
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0