CVE-2024-27936 (GCVE-0-2024-27936)
Vulnerability from cvelistv5 – Published: 2024-03-06 21:05 – Updated: 2024-08-02 00:41
VLAI?
Summary
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41.0 of the deno library contains a patch for the issue.
Severity ?
8.8 (High)
CWE
- CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "deno",
"vendor": "deno",
"versions": [
{
"lessThan": "1.41.0",
"status": "affected",
"version": "1.32.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27936",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T20:24:15.593823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T20:26:36.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:41:55.809Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw"
},
{
"name": "https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d"
},
{
"name": "https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "deno",
"vendor": "denoland",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.32.1, \u003c 1.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41.0 of the deno library contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T12:42:08.776Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw"
},
{
"name": "https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d"
},
{
"name": "https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5"
}
],
"source": {
"advisory": "GHSA-m4pq-fv2w-6hrw",
"discovery": "UNKNOWN"
},
"title": "Deno interactive permission prompt spoofing via improper ANSI stripping"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27936",
"datePublished": "2024-03-06T21:05:59.251Z",
"dateReserved": "2024-02-28T15:14:14.217Z",
"dateUpdated": "2024-08-02T00:41:55.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.32.1\", \"versionEndExcluding\": \"1.41.0\", \"matchCriteriaId\": \"9CA87604-33E8-4CAE-B495-A1CA54375989\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:deno:deno_runtime:*:*:*:*:*:rust:*:*\", \"versionStartIncluding\": \"0.103.0\", \"versionEndExcluding\": \"0.147.0\", \"matchCriteriaId\": \"96B2F540-1D61-413F-A71F-2B95C6FB5149\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41.0 of the deno library contains a patch for the issue.\"}, {\"lang\": \"es\", \"value\": \"Deno es un tiempo de ejecuci\\u00f3n de JavaScript, TypeScript y WebAssembly con valores predeterminados seguros. A partir de la versi\\u00f3n 1.32.1 y antes de la versi\\u00f3n 1.41 de la librer\\u00eda deno_runtime, la solicitud de permiso creada con fines malintencionados puede mostrar el mensaje de permiso falsificado insertando una secuencia de escape ANSI rota en el contenido de la solicitud. Deno est\\u00e1 eliminando cualquier secuencia de escape ANSI del mensaje de permiso, pero los permisos otorgados al programa se basan en los contenidos que contienen las secuencias de escape ANSI. Cualquier programa Deno puede falsificar el contenido del mensaje de permiso interactivo insertando un c\\u00f3digo ANSI roto, lo que permite que un programa Deno malicioso muestre la ruta del archivo o el nombre del programa incorrecto al usuario. La versi\\u00f3n 1.41 de la librer\\u00eda deno_runtime contiene un parche para el problema.\"}]",
"id": "CVE-2024-27936",
"lastModified": "2025-01-03T19:27:46.510",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}",
"published": "2024-03-21T02:52:22.813",
"references": "[{\"url\": \"https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-150\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-27936\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-03-21T02:52:22.813\",\"lastModified\":\"2025-01-03T19:27:46.510\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41.0 of the deno library contains a patch for the issue.\"},{\"lang\":\"es\",\"value\":\"Deno es un tiempo de ejecuci\u00f3n de JavaScript, TypeScript y WebAssembly con valores predeterminados seguros. A partir de la versi\u00f3n 1.32.1 y antes de la versi\u00f3n 1.41 de la librer\u00eda deno_runtime, la solicitud de permiso creada con fines malintencionados puede mostrar el mensaje de permiso falsificado insertando una secuencia de escape ANSI rota en el contenido de la solicitud. Deno est\u00e1 eliminando cualquier secuencia de escape ANSI del mensaje de permiso, pero los permisos otorgados al programa se basan en los contenidos que contienen las secuencias de escape ANSI. Cualquier programa Deno puede falsificar el contenido del mensaje de permiso interactivo insertando un c\u00f3digo ANSI roto, lo que permite que un programa Deno malicioso muestre la ruta del archivo o el nombre del programa incorrecto al usuario. La versi\u00f3n 1.41 de la librer\u00eda deno_runtime contiene un parche para el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-150\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.32.1\",\"versionEndExcluding\":\"1.41.0\",\"matchCriteriaId\":\"9CA87604-33E8-4CAE-B495-A1CA54375989\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:deno:deno_runtime:*:*:*:*:*:rust:*:*\",\"versionStartIncluding\":\"0.103.0\",\"versionEndExcluding\":\"0.147.0\",\"matchCriteriaId\":\"96B2F540-1D61-413F-A71F-2B95C6FB5149\"}]}]}],\"references\":[{\"url\":\"https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-27936\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-09T20:24:15.593823Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*\"], \"vendor\": \"deno\", \"product\": \"deno\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.32.1\", \"lessThan\": \"1.41.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-09T20:26:31.151Z\"}}], \"cna\": {\"title\": \"Deno interactive permission prompt spoofing via improper ANSI stripping\", \"source\": {\"advisory\": \"GHSA-m4pq-fv2w-6hrw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"denoland\", \"product\": \"deno\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.32.1, \u003c 1.41.0\"}]}], \"references\": [{\"url\": \"https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw\", \"name\": \"https://github.com/denoland/deno/security/advisories/GHSA-m4pq-fv2w-6hrw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d\", \"name\": \"https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5\", \"name\": \"https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41.0 of the deno library contains a patch for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-150\", \"description\": \"CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-06-10T12:42:08.776Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-27936\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-07-09T20:26:36.870Z\", \"dateReserved\": \"2024-02-28T15:14:14.217Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-03-06T21:05:59.251Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…