CVE-2024-27936 – Deno interactive permission prompt spoofing via improper ANSI stripping
https://notcve.org/view.php?id=CVE-2024-27936
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41.0 of the deno library contains a patch for the issue. • https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5 https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVE-2024-27935 – Deno's Node.js Compatibility Runtime has Cross-Session Data Contamination
https://notcve.org/view.php?id=CVE-2024-27935
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. • https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6 https://github.com/denoland/deno/issues/20188 https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp • CWE-488: Exposure of Data Element to Wrong Session •
CVE-2024-27934 – *const c_void / ExternalPointer unsoundness leading to use-after-free
https://notcve.org/view.php?id=CVE-2024-27934
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.36.2 and prior to version 1.40.3, use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, resulting in arbitrary code execution. Use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, which is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions. This bug is known to be exploitable for both `*const c_void` and `ExternalPointer` implementations. Version 1.40.3 fixes this issue. • https://github.com/denoland/deno/security/advisories/GHSA-3j27-563v-28wf • CWE-416: Use After Free •
CVE-2024-27933 – Deno arbitrary file descriptor close via `op_node_ipc_pipe()` leading to permission prompt bypass
https://notcve.org/view.php?id=CVE-2024-27933
Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together. Use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. • https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214 https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220 https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225 https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241 https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256 https://github.com/denoland/deno/blob/v1.39.0/runtime/permission • CWE-863: Incorrect Authorization •
CVE-2024-27932 – Deno's improper suffix match testing for DENO_AUTH_TOKENS
https://notcve.org/view.php?id=CVE-2024-27932
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for `example[.]com` may be sent to `notexample[.]com`. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue Deno es un tiempo de ejecución de JavaScript, TypeScript y WebAssembly. • https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89 https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr • CWE-20: Improper Input Validation •