{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27935", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-28T15:14:14.216Z", "datePublished": "2024-03-06T21:02:14.359Z", "dateUpdated": "2024-08-02T20:12:42.832Z"}, "containers": {"cna": {"title": "Deno's Node.js Compatibility Runtime has Cross-Session Data Contamination", "problemTypes": [{"descriptions": [{"cweId": "CWE-488", "lang": "en", "description": "CWE-488: Exposure of Data Element to Wrong Session", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp"}, {"name": "https://github.com/denoland/deno/issues/20188", "tags": ["x_refsource_MISC"], "url": "https://github.com/denoland/deno/issues/20188"}, {"name": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6", "tags": ["x_refsource_MISC"], "url": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6"}], "affected": [{"vendor": "denoland", "product": "deno", "versions": [{"version": ">= 1.35.1, < 1.36.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-06T21:02:14.359Z"}, "descriptions": [{"lang": "en", "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.\n"}], "source": {"advisory": "GHSA-wrqv-pf6j-mqjp", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:41:55.847Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp"}, {"name": "https://github.com/denoland/deno/issues/20188", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/denoland/deno/issues/20188"}, {"name": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6"}]}, {"affected": [{"vendor": "denoland", "product": "deno", "cpes": ["cpe:2.3:a:denoland:deno:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.35.1", "status": "affected", "lessThanOrEqual": "1.36.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-02T20:04:17.278451Z", "id": "CVE-2024-27935", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-02T20:12:42.832Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27935", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-28T15:14:14.216Z", "datePublished": "2024-03-06T21:02:14.359Z", "dateUpdated": "2024-08-02T20:12:42.832Z"}, "containers": {"cna": {"title": "Deno's Node.js Compatibility Runtime has Cross-Session Data Contamination", "problemTypes": [{"descriptions": [{"cweId": "CWE-488", "lang": "en", "description": "CWE-488: Exposure of Data Element to Wrong Session", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp"}, {"name": "https://github.com/denoland/deno/issues/20188", "tags": ["x_refsource_MISC"], "url": "https://github.com/denoland/deno/issues/20188"}, {"name": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6", "tags": ["x_refsource_MISC"], "url": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6"}], "affected": [{"vendor": "denoland", "product": "deno", "versions": [{"version": ">= 1.35.1, < 1.36.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-06T21:02:14.359Z"}, "descriptions": [{"lang": "en", "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.\n"}], "source": {"advisory": "GHSA-wrqv-pf6j-mqjp", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:41:55.847Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp"}, {"name": "https://github.com/denoland/deno/issues/20188", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/denoland/deno/issues/20188"}, {"name": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27935", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-02T20:04:17.278451Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:denoland:deno:*:*:*:*:*:*:*:*"], "vendor": "denoland", "product": "deno", "versions": [{"status": "affected", "version": "1.35.1", "versionType": "custom", "lessThanOrEqual": "1.36.3"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-02T20:12:30.539Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C495C2E-08BD-43EB-9210-6FF31E09ECCF", "versionEndExcluding": "1.36.3", "versionStartIncluding": "1.35.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.\n"}, {"lang": "es", "value": "Deno es un tiempo de ejecuci\u00f3n de JavaScript, TypeScript y WebAssembly. A partir de la versi\u00f3n 1.35.1 y antes de la versi\u00f3n 1.36.3, una vulnerabilidad en el tiempo de ejecuci\u00f3n de compatibilidad de Node.js de Deno permite la contaminaci\u00f3n de datos entre sesiones durante lecturas asincr\u00f3nicas simult\u00e1neas de flujos de Node.js provenientes de sockets o archivos. El problema surge de la reutilizaci\u00f3n de un b\u00fafer global (BUF) en stream_wrap.ts utilizado como optimizaci\u00f3n del rendimiento para limitar las asignaciones durante estas operaciones de lectura asincr\u00f3nicas. Esto puede provocar que los datos destinados a una sesi\u00f3n sean recibidos por otra sesi\u00f3n, lo que podr\u00eda provocar da\u00f1os en los datos y comportamientos inesperados. Esto afecta a todos los usuarios de Deno que usan la capa de compatibilidad de node.js para la comunicaci\u00f3n de red u otras transmisiones, incluidos los paquetes que pueden requerir librer\u00edas de node.js indirectamente. La versi\u00f3n 1.36.3 contiene un parche para este problema."}], "id": "CVE-2024-27935", "lastModified": "2025-01-03T19:25:19.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.7, "source": "[email protected]", "type": "Primary"}]}, "published": "2024-03-21T02:52:22.627", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6"}, {"source": "[email protected]", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/denoland/deno/issues/20188"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/denoland/deno/issues/20188"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-488"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "[email protected]", "type": "Primary"}]}

{}