Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04MzhoLWpxcDYtY2YyZs02gA

Sandbox bypass leading to arbitrary code execution in Deno

Impact

The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass permission checks and execute arbitrary shell code.

There is no evidence that this vulnerability has been exploited in the wild.

This vulnerability does not affect users of Deno Deploy.

Patches

The vulnerability has been patched in Deno 1.20.3.

Workarounds

There is no workaround. All users are recommended to upgrade to 1.20.3 immediately

The cause of this error was that certain FFI operations did not correctly check for permissions. The issue was fixed in this pull request.

Permalink: https://github.com/advisories/GHSA-838h-jqp6-cf2f
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04MzhoLWpxcDYtY2YyZs02gA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago

CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Percentage: 0.00297
EPSS Percentile: 0.68987

Identifiers: GHSA-838h-jqp6-cf2f, CVE-2022-24783
References:

Repository: https://github.com/denoland/deno
Blast Radius: 0.0

Affected Packages

cargo:deno

Dependent packages: 5
Dependent repositories: 1
Downloads: 390,617 total
Affected Version Ranges: >= 1.18.0, < 1.20.3
Fixed in: 1.20.3
All affected versions: 1.18.0, 1.18.1, 1.18.2, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.20.1, 1.20.2
All unaffected versions: 0.0.1, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.23.0, 0.29.0, 0.30.0, 0.30.1, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.37.1, 0.38.0, 0.40.0, 0.41.0, 0.42.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.3, 1.4.0, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.0, 1.7.1, 1.7.2, 1.7.5, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.11.1, 1.11.2, 1.11.4, 1.11.5, 1.12.0, 1.12.1, 1.12.2, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.16.4, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.20.3, 1.20.4, 1.20.5, 1.20.6, 1.21.0, 1.21.1, 1.21.2, 1.21.3, 1.22.0, 1.22.1, 1.22.2, 1.22.3, 1.23.0, 1.23.1, 1.23.2, 1.23.3, 1.23.4, 1.24.0, 1.24.1, 1.24.2, 1.24.3, 1.25.0, 1.25.1, 1.25.2, 1.25.3, 1.25.4, 1.26.0, 1.26.1, 1.26.2, 1.27.0, 1.27.1, 1.27.2, 1.28.0, 1.28.1, 1.28.2, 1.28.3, 1.29.0, 1.29.1, 1.29.2, 1.29.3, 1.29.4, 1.30.0, 1.30.1, 1.30.2, 1.30.3, 1.31.0, 1.31.1, 1.31.2, 1.31.3, 1.32.0, 1.32.1, 1.32.2, 1.32.3, 1.32.4, 1.32.5, 1.33.0, 1.33.1, 1.33.2, 1.33.3, 1.33.4, 1.34.0, 1.34.1, 1.34.2, 1.34.3, 1.35.0, 1.35.1, 1.35.2, 1.35.3, 1.36.0, 1.36.1, 1.36.2, 1.36.3, 1.36.4, 1.37.0, 1.37.1, 1.37.2, 1.38.0, 1.38.1, 1.38.2, 1.38.3, 1.38.4, 1.38.5, 1.39.0, 1.39.1, 1.39.2, 1.39.3, 1.39.4, 1.40.0, 1.40.1, 1.40.2, 1.40.3, 1.40.4, 1.40.5, 1.41.0, 1.41.1, 1.41.2, 1.41.3, 1.42.0, 1.42.1, 1.42.2, 1.42.3, 1.42.4, 1.43.0, 1.43.1, 1.43.2, 1.43.3, 1.43.4, 1.43.5, 1.43.6, 1.44.0, 1.44.1, 1.44.2, 1.44.3, 1.44.4, 1.45.0, 1.45.1, 1.45.2, 1.45.3, 1.45.4, 1.45.5, 1.46.0, 1.46.1, 1.46.2, 1.46.3, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5