CVE-2024-27936

Source
https://cve.org/CVERecord?id=CVE-2024-27936
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-27936.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-27936
Aliases
Downstream
Published
2024-03-06T21:05:59.251Z
Modified
2026-07-08T08:05:28.712798756Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Deno interactive permission prompt spoofing via improper ANSI stripping
Details

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41.0 of the deno library contains a patch for the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/27xxx/CVE-2024-27936.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-150"
    ]
}
References

Affected packages

Git / github.com/denoland/deno

Affected ranges

Type
GIT
Repo
https://github.com/denoland/deno
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "1.32.1"
        },
        {
            "fixed": "1.41.0"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-27936.json"