CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24783 – Sandbox bypass leading to arbitrary code execution in Deno
https://notcve.org/view.php?id=CVE-2022-24783
Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell code. This vulnerability does not affect users of Deno Deploy. The vulnerability has been patched in Deno 1.20.3. There is no workaround. • https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f • CWE-269: Improper Privilege Management CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32619 – Static imports inside dynamically imported modules do not adhere to permission checks
https://notcve.org/view.php?id=CVE-2021-32619
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions 1.5.0 to 1.10.1, modules that are dynamically imported through `import()` or `new Worker` might have been able to bypass network and file system permission checks when statically importing other modules. The vulnerability has been patched in Deno release 1.10.2. Deno es un tiempo de ejecución para JavaScript y TypeScript que usa V8 y está construido en Rust. En versiones 1.5.0 hasta 1.10.1 de Deno, los módulos que son importados dinámicamente mediante las funciones "import()" o "new Worker" podrían haber sido capaces de omitir las comprobaciones de permisos de la red y del sistema de archivos al importar de forma estática otros módulos. • https://github.com/denoland/deno/security/advisories/GHSA-xpwj-7v8q-mcgj • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •