SB20260423125 - Information disclosure in Deno

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: CVE-2024-21486)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in static imports when directly or indirectly executing third-party code with deno run. A remote attacker can place a crafted static import in attacker-controlled code to disclose sensitive information.

When the program is executed with read and write permissions, sensitive local file contents can be exfiltrated over the network even though no network permission was granted.

Remediation

Install update from vendor's website.

References

• https://github.com/denoland/deno/security/advisories/GHSA-jv4x-jv3h-qff5
• https://github.com/advisories/GHSA-jv4x-jv3h-qff5