Lucene search

K
cve[email protected]CVE-2024-27936
HistoryMar 21, 2024 - 2:52 a.m.

CVE-2024-27936

2024-03-2102:52:22
CWE-150
web.nvd.nist.gov
49
deno
javascript
typescript
webassembly
runtime
security
cve-2024-27936
permission prompt
ansi escape sequences
spoofing
vulnerability

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41.0 of the deno library contains a patch for the issue.

Affected configurations

Vulners
Node
denolanddenoRange1.32.11.41.0

CNA Affected

[
  {
    "vendor": "denoland",
    "product": "deno",
    "versions": [
      {
        "version": ">= 1.32.1, < 1.41.0",
        "status": "affected"
      }
    ]
  }
]

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

Related for CVE-2024-27936