Lucene search

GitHub Advisory DatabaseGHSA-VC52-GWM3-8V2F

HistoryMay 31, 2023 - 11:39 p.m.

Missing "--allow-net" permission check for built-in Node modules

2023-05-3123:39:40

CWE-269

CWE-276

GitHub Advisory Database

github.com

outbound http requests

node:http

node:https

permission check

network allow list

vulnerability

deno v1.34.0

deno v1.34.1

update

no workaround

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

62.0%

JSON

Impact

Outbound HTTP requests made using the built-in “node:http” or “node:https” modules are incorrectly not checked against the network permission allow list (--allow-net). Dependencies relying on these built-in modules are subject to the vulnerability too.

Users of Deno versions prior to 1.34.0 are unaffected. Deno Deploy users are unaffected.

Patches

This problem has been patched in Deno v1.34.1 and all users are recommended to update to this version.

Workarounds

No workaround is available for this issue.

Affected configurations

Vulners

Node

denodeno_runtimeMatch0.114.0rust

denodenoMatch1.34.0

CPENameOperatorVersion
deno_runtimeeq0.114.0
denoeq1.34.0

CPE	Name	Operator	Version
	deno_runtime	eq	0.114.0
	deno	eq	1.34.0

References

github.com/advisories/GHSA-vc52-gwm3-8v2f

github.com/denoland/deno/releases/tag/v1.34.1

github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2f

nvd.nist.gov/vuln/detail/CVE-2023-33966

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

62.0%

JSON

Related for GHSA-VC52-GWM3-8V2F