Unverified Ownership Affecting deno package, versions >=1.39.0 <1.39.1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUST-DENO-6420589
- published 10 Mar 2024
- disclosed 6 Mar 2024
- credit leesh3288
Introduced: 6 Mar 2024
CVE-2024-27933 Open this link in a new tabHow to fix?
Upgrade deno to version 1.39.1 or higher.
Overview
deno is an a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust.
Affected versions of this package are vulnerable to Unverified Ownership due to the use of raw file descriptors in op_node_ipc_pipe(), which leads to the premature closure of arbitrary file descriptors. This allows standard input to be closed and re-opened as a different resource, enabling a silent permission prompt bypass. An attacker controlling the code executed inside a Deno runtime can achieve arbitrary code execution on the host machine regardless of permissions.
This is made more exploitable by widening the race window between clear_stdin() and the subsequent stdin_lock.read_line(), especially when requesting a resource with a very long name to delay the prompt, allowing another Worker to close fd 0 and open a resource starting with an A\n within the race window. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs.