Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, `deno run --allow-read --deny-read main.ts` results in allowed, even though 'deny' should be stronger. The result is the same with all global unary permissions given as `--allow-* --deny-*`. This only affects a nonsensical combination of flags, so there shouldn't be a real impact on the userbase. Users may upgrade to version 2.1.13, 2.2.13, or 2.3.2 to receive a patch.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Confidentiality (Vulnerable System)
None
Integrity (Vulnerable System)
Low
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
E
Physical
Affected products
- denoland / deno>= 1.41.3, < 2.1.13 – >= 1.41.3, < 2.1.13
- denoland / deno>= 2.2.0, < 2.2.13 – >= 2.2.0, < 2.2.13
- denoland / deno>= 2.3.0, < 2.3.2 – >= 2.3.0, < 2.3.2
References
- VENDOR_ADVISORYhttps://github.com/denoland/deno/security/advisories/GHSA-xqxc-x6p3-w683
- PATCHhttps://github.com/denoland/deno/pull/22894
- PATCHhttps://github.com/denoland/deno/pull/29213
- PATCHhttps://github.com/denoland/deno/commit/2f0fae9d9071dcaf0a689bc7097584b1b9ebc8db
- PATCHhttps://github.com/denoland/deno/commit/9d665572d3cd39f997e29e6daac7c1102fc5c04f
- PATCHhttps://github.com/denoland/deno/commit/ef315b56c26c9ef5f25284a5100d2ed525a148cf