Page 2 of 9 results (0.009 seconds)

CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0

Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together. Use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. • https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214 https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220 https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225 https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241 https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256 https://github.com/denoland/deno/blob/v1.39.0/runtime/permission • CWE-863: Incorrect Authorization •

CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for `example[.]com` may be sent to `notexample[.]com`. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue Deno es un tiempo de ejecución de JavaScript, TypeScript y WebAssembly. • https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89 https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcr • CWE-20: Improper Input Validation •

CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. This is fixed in Deno 1.41.1. • https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh • CWE-20: Improper Input Validation •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying on these built-in modules are subject to the vulnerability too. Users of Deno versions prior to 1.34.0 are unaffected. Deno Deploy users are unaffected. • https://github.com/denoland/deno/releases/tag/v1.34.1 https://github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2f • CWE-269: Improper Privilege Management CWE-276: Incorrect Default Permissions •