CVE-2023-28446

Exploit

EPSS 1.65%
Veröffentlicht 24.03.2023 20:15:15
Zuletzt bearbeitet 21.11.2024 07:55:05
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a `op_spawn_child` or `op_kill` prompt and replace it with any desired text. This works with any command on the respective platform, giving the program the full ability to choose what program they wanted to run. This problem can not be exploited on systems that do not attach an interactive prompt (for example headless servers). This issue has been patched in version 1.31.2.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Deno ≫ Deno Version < 1.31.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.65%	0.816

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

https://github.com/denoland/deno/blob/7d13d65468c37022f003bb680dfbddd07ea72173/runtime/js/40_process.js#L175

Vendor Advisory

https://github.com/denoland/deno/releases/tag/v1.31.2

Patch

Release Notes

https://github.com/denoland/deno/security/advisories/GHSA-vq67-rp93-65qf

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-28446

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-28446

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-28446

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-28446