Vulnerability-Lookup

CVE-2024-27935 (GCVE-0-2024-27935)

Vulnerability from cvelistv5 – Published: 2024-03-06 21:02 – Updated: 2024-08-02 20:12

Title

Deno's Node.js Compatibility Runtime has Cross-Session Data Contamination

Summary

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.

Severity ?

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

CWE

CWE-488 - Exposure of Data Element to Wrong Session

Assigner

GitHub_M

References

URL

Tags

	https://github.com/denoland/deno/security/advisor…	x_refsource_CONFIRM
	https://github.com/denoland/deno/issues/20188	x_refsource_MISC
	https://github.com/denoland/deno/commit/3e9fb8aaf…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	denoland	deno	Affected: >= 1.35.1, < 1.36.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:41:55.847Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp"
          },
          {
            "name": "https://github.com/denoland/deno/issues/20188",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/denoland/deno/issues/20188"
          },
          {
            "name": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:denoland:deno:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "deno",
            "vendor": "denoland",
            "versions": [
              {
                "lessThanOrEqual": "1.36.3",
                "status": "affected",
                "version": "1.35.1",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-27935",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-02T20:04:17.278451Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-02T20:12:42.832Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "deno",
          "vendor": "denoland",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.35.1, \u003c 1.36.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno\u0027s Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-488",
              "description": "CWE-488: Exposure of Data Element to Wrong Session",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-06T21:02:14.359Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp"
        },
        {
          "name": "https://github.com/denoland/deno/issues/20188",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/denoland/deno/issues/20188"
        },
        {
          "name": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6"
        }
      ],
      "source": {
        "advisory": "GHSA-wrqv-pf6j-mqjp",
        "discovery": "UNKNOWN"
      },
      "title": "Deno\u0027s Node.js Compatibility Runtime has Cross-Session Data Contamination"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-27935",
    "datePublished": "2024-03-06T21:02:14.359Z",
    "dateReserved": "2024-02-28T15:14:14.216Z",
    "dateUpdated": "2024-08-02T20:12:42.832Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Deno\u0027s Node.js Compatibility Runtime has Cross-Session Data Contamination\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-488\", \"lang\": \"en\", \"description\": \"CWE-488: Exposure of Data Element to Wrong Session\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"LOW\", \"baseScore\": 7.2, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"CHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp\"}, {\"name\": \"https://github.com/denoland/deno/issues/20188\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/denoland/deno/issues/20188\"}, {\"name\": \"https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6\"}], \"affected\": [{\"vendor\": \"denoland\", \"product\": \"deno\", \"versions\": [{\"version\": \"\u003e= 1.35.1, \u003c 1.36.3\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-03-06T21:02:14.359Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno\u0027s Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.\\n\"}], \"source\": {\"advisory\": \"GHSA-wrqv-pf6j-mqjp\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:41:55.847Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"name\": \"https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp\"}, {\"name\": \"https://github.com/denoland/deno/issues/20188\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/denoland/deno/issues/20188\"}, {\"name\": \"https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-27935\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-02T20:04:17.278451Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:denoland:deno:*:*:*:*:*:*:*:*\"], \"vendor\": \"denoland\", \"product\": \"deno\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.35.1\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.36.3\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-02T20:12:30.539Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-27935\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-02-28T15:14:14.216Z\", \"datePublished\": \"2024-03-06T21:02:14.359Z\", \"dateUpdated\": \"2024-08-02T20:12:42.832Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-27935

Vulnerability from fkie_nvd - Published: 2024-03-21 02:52 - Updated: 2025-01-03 19:25

Severity ?

7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6	Patch
security-advisories@github.com	https://github.com/denoland/deno/issues/20188	Exploit, Issue Tracking
security-advisories@github.com	https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/denoland/deno/issues/20188	Exploit, Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp	Vendor Advisory

Impacted products

	Vendor	Product	Version
	deno	deno	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9C495C2E-08BD-43EB-9210-6FF31E09ECCF",
              "versionEndExcluding": "1.36.3",
              "versionStartIncluding": "1.35.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno\u0027s Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.\n"
    },
    {
      "lang": "es",
      "value": "Deno es un tiempo de ejecuci\u00f3n de JavaScript, TypeScript y WebAssembly. A partir de la versi\u00f3n 1.35.1 y antes de la versi\u00f3n 1.36.3, una vulnerabilidad en el tiempo de ejecuci\u00f3n de compatibilidad de Node.js de Deno permite la contaminaci\u00f3n de datos entre sesiones durante lecturas asincr\u00f3nicas simult\u00e1neas de flujos de Node.js provenientes de sockets o archivos. El problema surge de la reutilizaci\u00f3n de un b\u00fafer global (BUF) en stream_wrap.ts utilizado como optimizaci\u00f3n del rendimiento para limitar las asignaciones durante estas operaciones de lectura asincr\u00f3nicas. Esto puede provocar que los datos destinados a una sesi\u00f3n sean recibidos por otra sesi\u00f3n, lo que podr\u00eda provocar da\u00f1os en los datos y comportamientos inesperados. Esto afecta a todos los usuarios de Deno que usan la capa de compatibilidad de node.js para la comunicaci\u00f3n de red u otras transmisiones, incluidos los paquetes que pueden requerir librer\u00edas de node.js indirectamente. La versi\u00f3n 1.36.3 contiene un parche para este problema."
    }
  ],
  "id": "CVE-2024-27935",
  "lastModified": "2025-01-03T19:25:19.090",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-03-21T02:52:22.627",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Issue Tracking"
      ],
      "url": "https://github.com/denoland/deno/issues/20188"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking"
      ],
      "url": "https://github.com/denoland/deno/issues/20188"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-488"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2024-27935

Vulnerability from gsd - Updated: 2024-02-29 06:03

Details

Aliases

CVE-2024-27935

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-27935"
      ],
      "details": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno\u0027s Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.\n",
      "id": "GSD-2024-27935",
      "modified": "2024-02-29T06:03:30.435305Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-27935",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "deno",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 1.35.1, \u003c 1.36.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "denoland"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno\u0027s Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.\n"
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-488",
                "lang": "eng",
                "value": "CWE-488: Exposure of Data Element to Wrong Session"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp",
            "refsource": "MISC",
            "url": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp"
          },
          {
            "name": "https://github.com/denoland/deno/issues/20188",
            "refsource": "MISC",
            "url": "https://github.com/denoland/deno/issues/20188"
          },
          {
            "name": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6",
            "refsource": "MISC",
            "url": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-wrqv-pf6j-mqjp",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno\u0027s Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.\n"
          },
          {
            "lang": "es",
            "value": "Deno es un tiempo de ejecuci\u00f3n de JavaScript, TypeScript y WebAssembly. A partir de la versi\u00f3n 1.35.1 y antes de la versi\u00f3n 1.36.3, una vulnerabilidad en el tiempo de ejecuci\u00f3n de compatibilidad de Node.js de Deno permite la contaminaci\u00f3n de datos entre sesiones durante lecturas asincr\u00f3nicas simult\u00e1neas de flujos de Node.js provenientes de sockets o archivos. El problema surge de la reutilizaci\u00f3n de un b\u00fafer global (BUF) en stream_wrap.ts utilizado como optimizaci\u00f3n del rendimiento para limitar las asignaciones durante estas operaciones de lectura asincr\u00f3nicas. Esto puede provocar que los datos destinados a una sesi\u00f3n sean recibidos por otra sesi\u00f3n, lo que podr\u00eda provocar da\u00f1os en los datos y comportamientos inesperados. Esto afecta a todos los usuarios de Deno que usan la capa de compatibilidad de node.js para la comunicaci\u00f3n de red u otras transmisiones, incluidos los paquetes que pueden requerir librer\u00edas de node.js indirectamente. La versi\u00f3n 1.36.3 contiene un parche para este problema."
          }
        ],
        "id": "CVE-2024-27935",
        "lastModified": "2024-03-21T12:58:51.093",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 2.7,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-03-21T02:52:22.627",
        "references": [
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/denoland/deno/issues/20188"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-488"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

GHSA-WRQV-PF6J-MQJP

Vulnerability from github – Published: 2024-03-05 20:49 – Updated: 2024-03-21 18:29

Summary

Deno's Node.js Compatibility Runtime has Cross-Session Data Contamination

Details

Summary

A vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior.

Details

A bug in Deno's Node.js compatibility runtime results in data cross-reception during simultaneous asynchronous reads from Node.js network streams. When multiple independent network socket connections are involved, this vulnerability can be triggered. For instance, two separate server sockets that receive data from their respective client sockets and then echo the received data back to the client using Node.js streams may experience an issue where data from one socket may appear on another socket. Due to the improper isolation of the global buffer (BUF), data sent by one socket can end up being incorrectly received by another socket. Consequently, data intended for one session may be exposed to another session, potentially leading to data corruption and unexpected behavior.

This buffer was introduced as a performance optimization to avoid excessive allocations during network read operations.

In cases where the net.Stream is connected to a remote server such as a database or key/value store such as Redis, this may result in a packet received on one connection being presented to another, causing data cross-contamination between multiple users and potentially leaking sensitive information.

It is important to note that this vulnerability does not affect Deno network streams created with the Deno.listen and Deno.connect APIs.

The impact of this issue may extend beyond node.js network streams, however, and may also affect asynchronous reads from non-network node.js Stream such as those created from files.

PoC

https://github.com/denoland/deno/issues/20188

Impact

This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly.

Severity ?

7.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "deno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.35.1"
            },
            {
              "fixed": "1.36.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-27935"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-488"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-05T20:49:14Z",
    "nvd_published_at": "2024-03-21T02:52:22Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA vulnerability in Deno\u0027s Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior.\n\n### Details\n\nA bug in Deno\u0027s Node.js compatibility runtime results in data cross-reception during simultaneous asynchronous reads from Node.js network streams. When multiple independent network socket connections are involved, this vulnerability can be triggered. For instance, two separate server sockets that receive data from their respective client sockets and then echo the received data back to the client using Node.js streams may experience an issue where data from one socket may appear on another socket. Due to the improper isolation of the global buffer (`BUF`), data sent by one socket can end up being incorrectly received by another socket. Consequently, data intended for one session may be exposed to another session, potentially leading to data corruption and unexpected behavior.\n\nThis buffer was introduced as a performance optimization to avoid excessive allocations during network read operations.\n\nIn cases where the [net.Stream](https://nodejs.org/api/net.html) is connected to a remote server such as a database or key/value store such as Redis, this may result in a packet received on one connection being presented to another, causing data cross-contamination between multiple users and potentially leaking sensitive information.\n\nIt is important to note that this vulnerability does not affect Deno network streams created with the `Deno.listen` and `Deno.connect` APIs. \n\nThe impact of this issue may extend beyond node.js network streams, however, and may also affect asynchronous reads from non-network node.js Stream such as those created from files.\n\n### PoC\n\nhttps://github.com/denoland/deno/issues/20188\n\n### Impact\n\nThis affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly.\n",
  "id": "GHSA-wrqv-pf6j-mqjp",
  "modified": "2024-03-21T18:29:19Z",
  "published": "2024-03-05T20:49:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27935"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/issues/20188"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/denoland/deno"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Deno\u0027s Node.js Compatibility Runtime has Cross-Session Data Contamination"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-27935 (GCVE-0-2024-27935)

FKIE_CVE-2024-27935

GSD-2024-27935

GHSA-WRQV-PF6J-MQJP

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature