CVE-2024-34346 - OpenCVE

Link	Resource
https://github.com/denoland/deno/security/advisories/GHSA-23rx-c3g5-hv9w

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-34346", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-02T06:36:32.437Z", "datePublished": "2024-05-07T21:02:16.809Z", "dateUpdated": "2024-06-06T18:25:43.423Z"}, "containers": {"cna": {"title": "Deno contains a permission escalation via open of privileged files with missing `--deny` flag", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/denoland/deno/security/advisories/GHSA-23rx-c3g5-hv9w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-23rx-c3g5-hv9w"}], "affected": [{"vendor": "denoland", "product": "deno", "versions": [{"version": "< 1.43.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-07T21:02:16.809Z"}, "descriptions": [{"lang": "en", "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. The Deno sandbox may be unexpectedly weakened by allowing file read/write access to privileged files in various locations on Unix and Windows platforms. For example, reading `/proc/self/environ` may provide access equivalent to `--allow-env`, and writing `/proc/self/mem` may provide access equivalent to `--allow-all`. Users who grant read and write access to the entire filesystem may not realize that these access to these files may have additional, unintended consequences. The documentation did not reflect that this practice should be undertaken to increase the strength of the security sandbox. Users who run code with `--allow-read` or `--allow-write` may unexpectedly end up granting additional permissions via file-system operations. Deno 1.43 and above require explicit `--allow-all` access to read or write `/etc`, `/dev` on unix platform (as well as `/proc` and `/sys` on linux platforms), and any path starting with `\\\\` on Windows.\n"}], "source": {"advisory": "GHSA-23rx-c3g5-hv9w", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "deno", "product": "deno", "cpes": ["cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.43.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-05-14T16:16:40.968446Z", "id": "CVE-2024-34346", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T18:25:43.423Z"}}]}}

{"descriptions": [{"lang": "en", "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. The Deno sandbox may be unexpectedly weakened by allowing file read/write access to privileged files in various locations on Unix and Windows platforms. For example, reading `/proc/self/environ` may provide access equivalent to `--allow-env`, and writing `/proc/self/mem` may provide access equivalent to `--allow-all`. Users who grant read and write access to the entire filesystem may not realize that these access to these files may have additional, unintended consequences. The documentation did not reflect that this practice should be undertaken to increase the strength of the security sandbox. Users who run code with `--allow-read` or `--allow-write` may unexpectedly end up granting additional permissions via file-system operations. Deno 1.43 and above require explicit `--allow-all` access to read or write `/etc`, `/dev` on unix platform (as well as `/proc` and `/sys` on linux platforms), and any path starting with `\\\\` on Windows.\n"}, {"lang": "es", "value": "Deno es un tiempo de ejecuci\u00f3n de JavaScript, TypeScript y WebAssembly con valores predeterminados seguros. La sandbox de Deno puede verse debilitado inesperadamente al permitir el acceso de lectura/escritura de archivos privilegiados en varias ubicaciones en plataformas Unix y Windows. Por ejemplo, leer `/proc/self/environ` puede proporcionar un acceso equivalente a `--allow-env`, y escribir `/proc/self/mem` puede proporcionar un acceso equivalente a `--allow-all`. Es posible que los usuarios que otorgan acceso de lectura y escritura a todo el sistema de archivos no se den cuenta de que este acceso a estos archivos puede tener consecuencias adicionales no deseadas. La documentaci\u00f3n no refleja que esta pr\u00e1ctica deba llevarse a cabo para aumentar la solidez del entorno limitado de seguridad. Los usuarios que ejecutan c\u00f3digo con `--allow-read` o `--allow-write` pueden terminar inesperadamente otorgando permisos adicionales a trav\u00e9s de operaciones del sistema de archivos. Deno 1.43 y superiores requieren acceso expl\u00edcito `--allow-all` para leer o escribir `/etc`, `/dev` en plataformas Unix (as\u00ed como `/proc` y `/sys` en plataformas Linux), y cualquier ruta que comienza con `\\\\` en Windows."}], "id": "CVE-2024-34346", "lastModified": "2024-05-08T13:15:00.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-07T21:15:09.270", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/denoland/deno/security/advisories/GHSA-23rx-c3g5-hv9w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

JSON object

JSON object

JSON object