CVE-2024-27935

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6
https://github.com/denoland/deno/issues/20188
https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp

Configurations

No configuration.

History

21 Mar 2024, 02:52

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-21 02:52

Updated : 2024-03-21 12:58

NVD link : CVE-2024-27935

Mitre link : CVE-2024-27935

CVE.ORG link : CVE-2024-27935

JSON object : View

Products Affected

No product.

CWE

CWE-488

Exposure of Data Element to Wrong Session

7.2 /10