CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37150 – Private npm registry support used scope auth token for downloading tarballs
https://notcve.org/view.php?id=CVE-2024-37150
An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials. Se descubrió un problema en el soporte de `.npmrc` en Deno 1.44.0 donde Deno enviaba credenciales `.npmrc` para el alcance a la URL tarball cuando el registro proporcionaba URL para un tarball en un dominio diferente. • https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575 https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34346 – Deno contains a permission escalation via open of privileged files with missing `--deny` flag
https://notcve.org/view.php?id=CVE-2024-34346
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. The Deno sandbox may be unexpectedly weakened by allowing file read/write access to privileged files in various locations on Unix and Windows platforms. For example, reading `/proc/self/environ` may provide access equivalent to `--allow-env`, and writing `/proc/self/mem` may provide access equivalent to `--allow-all`. Users who grant read and write access to the entire filesystem may not realize that these access to these files may have additional, unintended consequences. The documentation did not reflect that this practice should be undertaken to increase the strength of the security sandbox. • https://github.com/denoland/deno/security/advisories/GHSA-23rx-c3g5-hv9w • CWE-863: Incorrect Authorization •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32477 – Race condition when flushing input stream leads to permission prompt bypass
https://notcve.org/view.php?id=CVE-2024-32477
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. By using ANSI escape sequences and a race between `libc::tcflush(0, libc::TCIFLUSH)` and reading standard input, it's possible to manipulate the permission prompt and force it to allow an unsafe action regardless of the user input. Some ANSI escape sequences act as a info request to the master terminal emulator and the terminal emulator sends back the reply in the PTY channel. standard streams also use this channel to send and get data. For example the `\033[6n` sequence requests the current cursor position. These sequences allow us to append data to the standard input of Deno. • https://github.com/denoland/deno/security/advisories/GHSA-95cj-3hr2-7j5j • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27936 – Deno interactive permission prompt spoofing via improper ANSI stripping
https://notcve.org/view.php?id=CVE-2024-27936
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41.0 of the deno library contains a patch for the issue. • https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5 https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27935 – Deno's Node.js Compatibility Runtime has Cross-Session Data Contamination
https://notcve.org/view.php?id=CVE-2024-27935
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. • https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6 https://github.com/denoland/deno/issues/20188 https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp • CWE-488: Exposure of Data Element to Wrong Session •