CVE-2024-34346Incorrect Authorization in Deno

CWE-863Incorrect Authorization3 documents3 sources
Severity
9.0CRITICALNVD
EPSS
0.1%
top 71.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Denoland DenoDeno
Timeline
PublishedMay 7
Latest updateMay 8

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. The Deno sandbox may be unexpectedly weakened by allowing file read/write access to privileged files in various locations on Unix and Windows platforms. For example, reading `/proc/self/environ` may provide access equivalent to `--allow-env`, and writing `/proc/self/mem` may provide access equivalent to `--allow-all`. Users who grant read and write access to the entire filesystem may not realize that these access to

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages3 packages

NVDdeno/deno< 1.43.1
crates.iodeno/deno< 1.43.1
CVEListV5denoland/deno< 1.43.0

🔴Vulnerability Details

2
OSV
Deno permission escalation vulnerability via open of privileged files with missing `--deny` flag2024-05-08
GHSA
Deno permission escalation vulnerability via open of privileged files with missing `--deny` flag2024-05-08