Описание
Deno is a JavaScript, TypeScript, and WebAssembly runtime. In versions prior to 2.5.3 and 2.2.15, Deno.FsFile.prototype.stat and Deno.FsFile.prototype.statSync are not limited by the permission model check --deny-read=./. It's possible to retrieve stats from files that the user do not have explicit read access to (the script is executed with --deny-read=./). Similar APIs like Deno.stat and Deno.statSync require allow-read permission, however, when a file is opened, even with file-write only flags and deny-read permission, it's still possible to retrieve file stats, and thus bypass the permission model. Versions 2.5.3 and 2.2.15 fix the issue.
Ссылки
- Patch
- Issue TrackingPatch
- Release Notes
- Release Notes
- ExploitVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.2.15 (включая)Версия от 2.3.0 (включая) до 2.5.3 (исключая)
Одно из
cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*
cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*
EPSS
Процентиль: 3%
0.00016
Низкий
3.3 Low
CVSS3
Дефекты
CWE-269
Связанные уязвимости
CVSS3: 3.3
github
4 месяца назад
Deno's --deny-read check does not prevent permission bypass
EPSS
Процентиль: 3%
0.00016
Низкий
3.3 Low
CVSS3
Дефекты
CWE-269