CVE-2024-27933 – Deno arbitrary file descriptor close via `op_node_ipc_pipe()` leading to permission prompt bypass
https://notcve.org/view.php?id=CVE-2024-27933
Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together. Use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. • https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214 https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220 https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225 https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241 https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256 https://github.com/denoland/deno/blob/v1.39.0/runtime/permission • CWE-863: Incorrect Authorization •
CVE-2024-27932 – Deno's improper suffix match testing for DENO_AUTH_TOKENS
https://notcve.org/view.php?id=CVE-2024-27932
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for `example[.]com` may be sent to `notexample[.]com`. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue Deno es un tiempo de ejecución de JavaScript, TypeScript y WebAssembly. • https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89 https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr • CWE-20: Improper Input Validation •
CVE-2024-27931 – Insufficient permission checking in `Deno.makeTemp*` APIs
https://notcve.org/view.php?id=CVE-2024-27931
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. This is fixed in Deno 1.41.1. • https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh • CWE-20: Improper Input Validation •
CVE-2023-33966 – Deno missing "--allow-net" permission check for built-in Node modules
https://notcve.org/view.php?id=CVE-2023-33966
Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying on these built-in modules are subject to the vulnerability too. Users of Deno versions prior to 1.34.0 are unaffected. Deno Deploy users are unaffected. • https://github.com/denoland/deno/releases/tag/v1.34.1 https://github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2f • CWE-269: Improper Privilege Management CWE-276: Incorrect Default Permissions •