Deno is vulnerable to interactive `run` permission prompt spoofing via improper ANSI neutralization
CVE-2023-28446

8.8HIGH

Key Information:

Vendor

Denoland

Status
Deno
Vendor
CVE Published:
24 March 2023

What is CVE-2023-28446?

Deno, a runtime for JavaScript and TypeScript, contains a security vulnerability that allows arbitrary command execution due to insufficient ANSI filtering. This flaw enables an attacker to manipulate the first two lines of a command in the op_spawn_child or op_kill prompt, leading to unauthorized execution of commands. The exploit is not feasible in environments without an interactive prompt, such as headless servers. The issue was addressed in version 1.31.2.

Affected Version(s)

deno >= 1.8.0, < 1.31.2

References

https://github.com/denoland/deno/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/denoland/deno/blob/7d13d65468c37022f00...
x_refsource_MISC
https://github.com/denoland/deno/releases/tag/v1.31.2
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.