Bug 1211893 (CVE-2023-33966) - VUL-0: CVE-2023-33966: Missing "--allow-net" permission check for built-in Node modules
Summary: VUL-0: CVE-2023-33966: Missing "--allow-net" permission check for built-in No...
Status: RESOLVED FIXED
Alias: CVE-2023-33966
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.4
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/368016/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-01 08:52 UTC by Gabriele Sonnu
Modified: 2023-06-01 08:53 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gabriele Sonnu 2023-06-01 08:52:36 UTC 
CVE-2023-33966

Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime
0.114.0, outbound HTTP requests made using the built-in `node:http` or
`node:https` modules are incorrectly not checked against the network permission
allow list (`--allow-net`). Dependencies relying on these built-in modules are
subject to the vulnerability too. Users of Deno versions prior to 1.34.0 are
unaffected. Deno Deploy users are unaffected. This problem has been patched in
Deno v1.34.1 and deno_runtime 0.114.1 and all users are recommended to update to
this version. No workaround is available for this issue.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-33966
https://www.cve.org/CVERecord?id=CVE-2023-33966
https://github.com/denoland/deno/releases/tag/v1.34.1
https://github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2f
Comment 1 Gabriele Sonnu 2023-06-01 08:53:09 UTC 
We already ship a fixed version, closing.