CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 2CVE-2021-41641
https://notcve.org/view.php?id=CVE-2021-41641
Deno <=1.14.0 file sandbox does not handle symbolic links correctly. When running Deno with specific write access, the Deno.symlink method can be used to gain access to any directory. Deno versiones anteriores a 1.14.0 incluyéndola, el sandbox de archivo no maneja correctamente los enlaces simbólicos. Cuando es ejecutado Deno con un acceso de escritura específico, el método Deno.symlink puede usarse para acceder a cualquier directorio • https://github.com/denoland/deno/issues/12152 https://hackers.report/report/614876917a7b150012836bb8 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24783 – Sandbox bypass leading to arbitrary code execution in Deno
https://notcve.org/view.php?id=CVE-2022-24783
Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell code. This vulnerability does not affect users of Deno Deploy. The vulnerability has been patched in Deno 1.20.3. There is no workaround. • https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f • CWE-269: Improper Privilege Management CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-42139
https://notcve.org/view.php?id=CVE-2021-42139
Deno Standard Modules before 0.107.0 allows Code Injection via an untrusted YAML file in certain configurations. Deno Standard Modules versiones anteriores a 0.107.0, permite una inyección de código por medio de un archivo YAML no confiable en determinadas configuraciones • https://github.com/denoland/deno_std/pull/1275 https://github.com/denoland/deno_std/releases/tag/0.107.0 https://vuln.ryotak.me/advisories/58 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32619 – Static imports inside dynamically imported modules do not adhere to permission checks
https://notcve.org/view.php?id=CVE-2021-32619
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions 1.5.0 to 1.10.1, modules that are dynamically imported through `import()` or `new Worker` might have been able to bypass network and file system permission checks when statically importing other modules. The vulnerability has been patched in Deno release 1.10.2. Deno es un tiempo de ejecución para JavaScript y TypeScript que usa V8 y está construido en Rust. En versiones 1.5.0 hasta 1.10.1 de Deno, los módulos que son importados dinámicamente mediante las funciones "import()" o "new Worker" podrían haber sido capaces de omitir las comprobaciones de permisos de la red y del sistema de archivos al importar de forma estática otros módulos. • https://github.com/denoland/deno/security/advisories/GHSA-xpwj-7v8q-mcgj • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •