Upstream information

CVE-2023-33966 at MITRE

Description

Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying on these built-in modules are subject to the vulnerability too. Users of Deno versions prior to 1.34.0 are unaffected. Deno Deploy users are unaffected. This problem has been patched in Deno v1.34.1 and deno_runtime 0.114.1 and all users are recommended to update to this version. No workaround is available for this issue.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having important severity.

CVSS v3 Scores
  National Vulnerability Database
Base Score 8.6
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality Impact None
Integrity Impact High
Availability Impact None
CVSSv3 Version 3.1
SUSE Bugzilla entry: 1211893 [RESOLVED / FIXED]

No SUSE Security Announcements cross referenced.


SUSE Timeline for this CVE

CVE page created: Wed May 31 22:01:43 2023
CVE page last modified: Sat Aug 24 19:06:07 2024