CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28154 – webpack JS package <= 5.75.0 - Sandbox Bypass
https://notcve.org/view.php?id=CVE-2023-28154
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object. A flaw was found in the webpack package, which could allow a remote attacker to bypass security restrictions caused by the mishandling of the magic comment feature by the ImportParserPlugin.js. This flaw allows an attacker to gain access to the real global object by sending a specially-crafted request. • https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0 https://github.com/webpack/webpack/pull/16500 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D https://access.redhat.com/security/cve/CVE-2023&# • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 1%CPEs: 3EXPL: 2CVE-2022-37601 – loader-utils (JS package) < 2.0.3 - Prototype Pollution
https://notcve.org/view.php?id=CVE-2022-37601
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. Una vulnerabilidad de contaminación de prototipos en la función parseQuery en el archivo parseQuery.js en webpack loader-utils 2.0.0 por medio de la variable name en parseQuery.js A prototype pollution vulnerability was found in the parseQuery function in parseQuery.js in the webpack loader-utils via the name variable in parseQuery.js. This flaw can lead to a denial of service or remote code execution. The package loader-utils before 1.4.1, from 2.0.0 and before 2.0.3 is vulnerable to prototype pollution via the function parseQuery which could make injecting malicious web scripts possible in some cases. • http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf https://dl.acm.org/doi/abs/10.1145/3488932.3497769 https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11 https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47 https://github.com/webpack/loader-utils/issues/212 https://github.com/webpack/loader-utils/issues/212#issu • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 2CVE-2022-37603 – loader-utils (JS package) < 3.2.1 - Regular Expression Denial of Service
https://notcve.org/view.php?id=CVE-2022-37603
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js. Se ha encontrado un fallo de denegación de servicio de expresión Regular (ReDoS) en la función interpolateName en el archivo interpolateName.js en webpack loader-utils 2.0.0 por medio de la variable url en interpolateName.js A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component. The package loader-utils before 1.4.2, from 2.0.0 and before 2.0.4 as well as versions from 3.0.0 but below 3.2.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the resourcePath variable due to insecure usage of regular expressions. • https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107 https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38 https://github.com/webpack/loader-utils/issues/213 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375 https://lists.fedoraproject.org& • CWE-185: Incorrect Regular Expression CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-37599 – loader-utils (JS package) < 3.2.1 - Regular Expression Denial of Service
https://notcve.org/view.php?id=CVE-2022-37599
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js. Se ha encontrado un fallo de Denegación de Servicio de Expresión Regular (ReDoS) en la función interpolateName en el archivo interpolateName.js en webpack loader-utils 2.0.0 por medio de la variable resourcePath en el archivo interpolateName.js A flaw was found in the interpolateName function in interpolateName.js in the webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js. This flaw can lead to a regular expression denial of service (ReDoS). The package loader-utils before 1.4.2, from 2.0.0 and before 2.0.4 as well as versions from 3.0.0 but below 3.2.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the interpolateName function due to insecure usage of regular expressions. Some WordPress plugins and themes use this dependency, however, are not vulnerable to exploitation. • https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38 https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L83 https://github.com/webpack/loader-utils/issues/211 https://github.com/webpack/loader-utils/issues/216 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message& • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2018-14732
https://notcve.org/view.php?id=CVE-2018-14732
An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin. Se ha descubierto un problema en lib/Server.js en webpack-dev-server en versiones anteriores a la 3.1.6. Los atacantes pueden robar el código del desarrollador porque el origen de las peticiones no es comprobado por el servidor WebSocket, utilizado para HMR (Hot Module Replacement). • https://blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messages https://github.com/webpack/webpack-dev-server/commit/f18e5adf123221a1015be63e1ca2491ca45b8d10 https://github.com/webpack/webpack-dev-server/issues/1445 • CWE-20: Improper Input Validation •