CVE-2022-24783

Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell code. This vulnerability does not affect users of Deno Deploy. The vulnerability has been patched in Deno 1.20.3. There is no workaround. All users are recommended to upgrade to 1.20.3 immediately.

CVSS v3 10.0 CRITICAL
CVSS v2.0 7.5 HIGH

10.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*

History

30 Jun 2023, 18:50

Type	Values Removed	Values Added
CWE	~~CWE-269~~	CWE-863

31 Mar 2022, 15:37

Type	Values Removed	Values Added
References	~~(CONFIRM) https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f -~~	(CONFIRM) https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 7.5 v3 : 10.0
CPE		cpe:2.3:a:deno:deno::::::::

25 Mar 2022, 23:37

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-03-25 22:15

Updated : 2024-02-04 22:29

NVD link : CVE-2022-24783

Mitre link : CVE-2022-24783

CVE.ORG link : CVE-2022-24783

JSON object : View

Products Affected

deno

deno

CWE

CWE-863

Incorrect Authorization

CWE-269

Improper Privilege Management

{"id": "CVE-2022-24783", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}]}, "published": "2022-03-25T22:15:08.093", "references": [{"url": "https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell code. This vulnerability does not affect users of Deno Deploy. The vulnerability has been patched in Deno 1.20.3. There is no workaround. All users are recommended to upgrade to 1.20.3 immediately."}, {"lang": "es", "value": "Deno es un tiempo de ejecuci\u00f3n para JavaScript y TypeScript. Las versiones de Deno comprendidas entre la versi\u00f3n 1.18.0 y la 1.20.2 (inclusive) son vulnerables a un ataque en el que un actor malicioso que controle el c\u00f3digo ejecutado en un tiempo de ejecuci\u00f3n de Deno podr\u00eda omitir todas las comprobaciones de permisos y ejecutar c\u00f3digo shell arbitrario. Esta vulnerabilidad no afecta a usuarios de Deno Deploy. La vulnerabilidad ha sido parcheada en Deno versi\u00f3n 1.20.3. No se presenta ninguna medida de mitigaci\u00f3n. Es recomendado a todos los usuarios actualizar a versi\u00f3n 1.20.3 inmediatamente"}], "lastModified": "2023-06-30T18:50:55.147", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07CA5FF5-C8A9-4E09-87EF-7C492F37F18A", "versionEndExcluding": "1.20.3", "versionStartIncluding": "1.18.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}