GHSA-838h-jqp6-cf2f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-838h-jqp6-cf2f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-838h-jqp6-cf2f/GHSA-838h-jqp6-cf2f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-838h-jqp6-cf2f
- Aliases
- Published
- 2022-03-29T22:10:10Z
- Modified
- 2023-11-08T04:08:36.288044Z
- Severity
-
- 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Sandbox bypass leading to arbitrary code execution in Deno
- Details
-
Impact
The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass permission checks and execute arbitrary shell code.
There is no evidence that this vulnerability has been exploited in the wild.
This vulnerability does not affect users of Deno Deploy.
Patches
The vulnerability has been patched in Deno 1.20.3.
Workarounds
There is no workaround. All users are recommended to upgrade to 1.20.3 immediately
The cause of this error was that certain FFI operations did not correctly check for permissions. The issue was fixed in this pull request.
- Database specific
{ "nvd_published_at": "2022-03-25T22:15:00Z", "cwe_ids": [ "CWE-269", "CWE-863" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2022-03-29T22:10:10Z" }- References
-
- https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f
- https://nvd.nist.gov/vuln/detail/CVE-2022-24783
- https://github.com/denoland/deno/pull/14115
- https://github.com/denoland/deno/commit/fcfce1bb869fddc629e6d889d6ba1328b80b0dcf
- https://github.com/denoland/deno
- https://github.com/denoland/deno/compare/v1.20.2...v1.20.3
- https://github.com/denoland/deno/releases/tag/v1.20.3
Affected packages
crates.io / deno
Package
- Name
- deno
- View open source insights on deps.dev
- Purl
- pkg:cargo/deno