CVE-2024-34346

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. The Deno sandbox may be unexpectedly weakened by allowing file read/write access to privileged files in various locations on Unix and Windows platforms. For example, reading `/proc/self/environ` may provide access equivalent to `--allow-env`, and writing `/proc/self/mem` may provide access equivalent to `--allow-all`. Users who grant read and write access to the entire filesystem may not realize that these access to these files may have additional, unintended consequences. The documentation did not reflect that this practice should be undertaken to increase the strength of the security sandbox. Users who run code with `--allow-read` or `--allow-write` may unexpectedly end up granting additional permissions via file-system operations. Deno 1.43 and above require explicit `--allow-all` access to read or write `/etc`, `/dev` on unix platform (as well as `/proc` and `/sys` on linux platforms), and any path starting with `\\` on Windows.

CVSS v3 8.4 HIGH

8.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.7 / Impact : 6.0

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/denoland/deno/security/advisories/GHSA-23rx-c3g5-hv9w

Configurations

No configuration.

History

No history.

Information

Published : 2024-05-07 21:15

Updated : 2024-05-08 13:15

NVD link : CVE-2024-34346

Mitre link : CVE-2024-34346

CVE.ORG link : CVE-2024-34346

JSON object : View

Products Affected

No product.

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2024-34346", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.7}]}, "published": "2024-05-07T21:15:09.270", "references": [{"url": "https://github.com/denoland/deno/security/advisories/GHSA-23rx-c3g5-hv9w", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. The Deno sandbox may be unexpectedly weakened by allowing file read/write access to privileged files in various locations on Unix and Windows platforms. For example, reading `/proc/self/environ` may provide access equivalent to `--allow-env`, and writing `/proc/self/mem` may provide access equivalent to `--allow-all`. Users who grant read and write access to the entire filesystem may not realize that these access to these files may have additional, unintended consequences. The documentation did not reflect that this practice should be undertaken to increase the strength of the security sandbox. Users who run code with `--allow-read` or `--allow-write` may unexpectedly end up granting additional permissions via file-system operations. Deno 1.43 and above require explicit `--allow-all` access to read or write `/etc`, `/dev` on unix platform (as well as `/proc` and `/sys` on linux platforms), and any path starting with `\\\\` on Windows.\n"}, {"lang": "es", "value": "Deno es un tiempo de ejecuci\u00f3n de JavaScript, TypeScript y WebAssembly con valores predeterminados seguros. La sandbox de Deno puede verse debilitado inesperadamente al permitir el acceso de lectura/escritura de archivos privilegiados en varias ubicaciones en plataformas Unix y Windows. Por ejemplo, leer `/proc/self/environ` puede proporcionar un acceso equivalente a `--allow-env`, y escribir `/proc/self/mem` puede proporcionar un acceso equivalente a `--allow-all`. Es posible que los usuarios que otorgan acceso de lectura y escritura a todo el sistema de archivos no se den cuenta de que este acceso a estos archivos puede tener consecuencias adicionales no deseadas. La documentaci\u00f3n no refleja que esta pr\u00e1ctica deba llevarse a cabo para aumentar la solidez del entorno limitado de seguridad. Los usuarios que ejecutan c\u00f3digo con `--allow-read` o `--allow-write` pueden terminar inesperadamente otorgando permisos adicionales a trav\u00e9s de operaciones del sistema de archivos. Deno 1.43 y superiores requieren acceso expl\u00edcito `--allow-all` para leer o escribir `/etc`, `/dev` en plataformas Unix (as\u00ed como `/proc` y `/sys` en plataformas Linux), y cualquier ruta que comienza con `\\\\` en Windows."}], "lastModified": "2024-05-08T13:15:00.690", "sourceIdentifier": "security-advisories@github.com"}