Last Modified: March 31, 2023
Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a `op_spawn_child` or `op_kill` prompt and replace it with any desired text. This works with any command on the respective platform, giving the program the full ability to choose what program they wanted to run. This problem can not be exploited on systems that do not attach an interactive prompt (for example headless servers). This issue has been patched in version 1.31.2.
Tweets last week: 0
Remaining steady
Yahoo results: 0
Remaining steady
Current EPSS Score: 0.00068
Remaining steady
Reddit Posts: 1
Remaining steady
Github Repos: 0
Remaining steady
Found exploits:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High
Base Score: 8.8
Exploitability Score:
2.8
Impact Score: 5.9
CVSS V3: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-150
| Condition | Configuration | |
|---|---|---|
| OR | ||
| OR | ||
| cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:* Part: a Vendor: deno | Alle Schwachstellen für deno | |
Base Score V3:
Not defined
Exploitability Score V3:
Not defined
Impact Score V3:
Not defined
Cvss Vector V3:
Not defined
Configuration:
added:
cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*
<?xml version="1.0" ?>
<set operator="and">
<set operator="or">
<prop key="application" value="cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*"/>
</set>
</set>
<?xml version="1.0" ?>
<set operator="and">
<set operator="or">
<prop key="application" value="cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*"/>
</set>
<prop key="program_influence" value="input"/>
</set>