CVE-2023-33966

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-33966

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33966.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-33966

Aliases

GHSA-vc52-gwm3-8v2f

Published

2023-05-31T17:15:13.791Z

Modified

2026-03-01T08:10:55.450323Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVSS Calculator

Summary

Deno missing "--allow-net" permission check for built-in Node modules

Details

Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and denoruntime 0.114.0, outbound HTTP requests made using the built-in node:http or node:https modules are incorrectly not checked against the network permission allow list (--allow-net). Dependencies relying on these built-in modules are subject to the vulnerability too. Users of Deno versions prior to 1.34.0 are unaffected. Deno Deploy users are unaffected. This problem has been patched in Deno v1.34.1 and denoruntime 0.114.1 and all users are recommended to update to this version. No workaround is available for this issue.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/33xxx/CVE-2023-33966.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-269"
    ]
}

References

Affected packages

Git /

Affected ranges

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33966.json"