CVE-2021-32619
Static imports inside dynamically imported modules do not adhere to permission checks
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions 1.5.0 to 1.10.1, modules that are dynamically imported through `import()` or `new Worker` might have been able to bypass network and file system permission checks when statically importing other modules. The vulnerability has been patched in Deno release 1.10.2.
Deno es un tiempo de ejecución para JavaScript y TypeScript que usa V8 y está construido en Rust. En versiones 1.5.0 hasta 1.10.1 de Deno, los módulos que son importados dinámicamente mediante las funciones "import()" o "new Worker" podrían haber sido capaces de omitir las comprobaciones de permisos de la red y del sistema de archivos al importar de forma estática otros módulos. La vulnerabilidad ha sido parcheada en la versión 1.10.2 de Deno
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-12 CVE Reserved
- 2021-05-28 CVE Published
- 2024-02-25 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-285: Improper Authorization
- CWE-863: Incorrect Authorization
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://github.com/denoland/deno/security/advisories/GHSA-xpwj-7v8q-mcgj | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Deno Search vendor "Deno" | Deno Search vendor "Deno" for product "Deno" | >= 1.5.0 < 1.10.2 Search vendor "Deno" for product "Deno" and version " >= 1.5.0 < 1.10.2" | - |
Affected
| ||||||