Lucene search

[email protected]CVE-2023-33966

HistoryMay 31, 2023 - 6:15 p.m.

CVE-2023-33966

2023-05-3118:15:09

CWE-276

CWE-269

[email protected]

web.nvd.nist.gov

deno

javascript

typescript

cve-2023-33966

http

https

network permission

allow list

vulnerability

patch

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

62.0%

JSON

Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in node:http or node:https modules are incorrectly not checked against the network permission allow list (--allow-net). Dependencies relying on these built-in modules are subject to the vulnerability too. Users of Deno versions prior to 1.34.0 are unaffected. Deno Deploy users are unaffected. This problem has been patched in Deno v1.34.1 and deno_runtime 0.114.1 and all users are recommended to update to this version. No workaround is available for this issue.

Affected configurations

Vulners

NVD

Node

denolanddenoMatch1.34.0

denolanddenoMatch0.114.0

CPENameOperatorVersion
deno:denodenoeq1.34.0
deno:deno_runtimedeno deno runtimeeq0.114.0

CPE	Name	Operator	Version
deno:deno	deno	eq	1.34.0
deno:deno_runtime	deno deno runtime	eq	0.114.0

CNA Affected

[
  {
    "vendor": "denoland",
    "product": "deno",
    "versions": [
      {
        "version": "deno = 1.34.0",
        "status": "affected"
      },
      {
        "version": "deno_runtime  = 0.114.0",
        "status": "affected"
      }
    ]
  }
]