CVE-2024-27931 - Vulnerability Details - OpenCVE

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. This is fixed in Deno 1.41.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Deno	Deno

Configuration 1 [-]

cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh

History

Fri, 03 Jan 2025 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-05T16:43:11.934Z

Updated: 2024-08-02T00:41:55.851Z

Reserved: 2024-02-28T15:14:14.216Z

Link: CVE-2024-27931

Vulnrichment

Updated: 2024-07-19T14:34:41.180Z

NVD

Status : Analyzed

Published: 2024-03-05T17:15:07.310

Modified: 2025-01-03T19:29:35.223

Link: CVE-2024-27931

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27931", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-28T15:14:14.216Z", "datePublished": "2024-03-05T16:43:11.934Z", "dateUpdated": "2024-08-02T00:41:55.851Z"}, "containers": {"cna": {"title": "Insufficient permission checking in `Deno.makeTemp*` APIs", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh"}], "affected": [{"vendor": "denoland", "product": "deno", "versions": [{"version": "< 1.41.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-05T16:43:11.934Z"}, "descriptions": [{"lang": "en", "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. This is fixed in Deno 1.41.1.\n\n"}], "source": {"advisory": "GHSA-hrqr-jv8w-v9jh", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "deno", "product": "deno", "cpes": ["cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.41.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-19T14:01:30.921102Z", "id": "CVE-2024-27931", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T17:52:12.034Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:41:55.851Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27931", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-19T14:01:30.921102Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*"], "vendor": "deno", "product": "deno", "versions": [{"status": "affected", "version": "0", "lessThan": "1.41.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T14:34:41.180Z"}}], "cna": {"title": "Insufficient permission checking in `Deno.makeTemp*` APIs", "source": {"advisory": "GHSA-hrqr-jv8w-v9jh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "denoland", "product": "deno", "versions": [{"status": "affected", "version": "< 1.41.1"}]}], "references": [{"url": "https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh", "name": "https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. This is fixed in Deno 1.41.1.\n\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-05T16:43:11.934Z"}}}, "cveMetadata": {"cveId": "CVE-2024-27931", "state": "PUBLISHED", "dateUpdated": "2024-07-23T17:52:12.034Z", "dateReserved": "2024-02-28T15:14:14.216Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-05T16:43:11.934Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*", "matchCriteriaId": "CDC88459-089C-4E6D-950E-341DB3737E84", "versionEndExcluding": "1.41.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. This is fixed in Deno 1.41.1.\n\n"}, {"lang": "es", "value": "Deno es un tiempo de ejecuci\u00f3n de JavaScript, TypeScript y WebAssembly con valores predeterminados seguros. Una validaci\u00f3n insuficiente de los par\u00e1metros en las API `Deno.makeTemp*` permitir\u00eda la creaci\u00f3n de archivos fuera de los directorios permitidos. Esto puede permitir al usuario sobrescribir archivos importantes en el sistema que pueden afectar a otros sistemas. Un usuario puede proporcionar un prefijo o sufijo a una API `Deno.makeTemp*` que contenga caracteres de path traversal. Esto se solucion\u00f3 en Deno 1.41.1."}], "id": "CVE-2024-27931", "lastModified": "2025-01-03T19:29:35.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-05T17:15:07.310", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}