CVE-2024-27931 – deno

Package

Manager: cargo
Name: deno
Vulnerable Version: >=0 <1.41.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

EPSS: 0.00226 pctl0.45252

Details

Insufficient permission checking in `Deno.makeTemp*` APIs ### Impact Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. The permission check would prompt for the base directory of the API, but the final file that was created would be outside of this directory: ``` $ mkdir /tmp/good $ mkdir /tmp/bad $ deno repl --allow-write=/tmp/good > Deno.makeTempFileSync({ dir: "/tmp/bad" }) ┌ ⚠️ Deno requests write access to "/tmp/bad". ├ Requested by `Deno.makeTempFile()` API. ├ Run again with --allow-write to bypass this prompt. └ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all write permissions) > n ❌ Denied write access to "/tmp/bad". Uncaught PermissionDenied: Requires write access to "/tmp/bad", run again with the --allow-write flag at Object.makeTempFileSync (ext:deno_fs/30_fs.js:176:10) at <anonymous>:1:27 > Deno.makeTempFileSync({ dir: "/tmp/good", prefix: "../bad/" }) "/tmp/good/../bad/a9432ef5" $ ls -l /tmp/bad/a9432ef5 -rw-------@ 1 user group 0 Mar 4 09:20 /tmp/bad/a9432ef5 ``` ### Patches This is fixed in Deno 1.41.1.

Metadata

Created: 2024-03-05T16:19:44Z
Modified: 2024-03-05T20:30:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-hrqr-jv8w-v9jh/GHSA-hrqr-jv8w-v9jh.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-hrqr-jv8w-v9jh
Finding: F184
Auto approve: 1