CVE-2023-28154
webpack JS package <= 5.75.0 - Sandbox Bypass
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
A flaw was found in the webpack package, which could allow a remote attacker to bypass security restrictions caused by the mishandling of the magic comment feature by the ImportParserPlugin.js. This flaw allows an attacker to gain access to the real global object by sending a specially-crafted request.
The JS package webpack is vulnerable to Sandbox Bypass in versions up to, and including, 5.75.0 due to mishandling magic comments. Some WordPress plugins and themes use this dependency, however, are not vulnerable to exploitation.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-03-13 CVE Reserved
- 2023-03-13 CVE Published
- 2024-08-02 CVE Updated
- 2024-11-01 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-269: Improper Privilege Management
CAPEC
References (7)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0 | 2023-11-07 | |
https://github.com/webpack/webpack/pull/16500 | 2023-11-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Webpack.js Search vendor "Webpack.js" | Webpack Search vendor "Webpack.js" for product "Webpack" | >= 5.0.0 < 5.76.0 Search vendor "Webpack.js" for product "Webpack" and version " >= 5.0.0 < 5.76.0" | node.js |
Affected
|