Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors Products
Debian
  • Debian Linux
Webpack.js
  • Loader-utils

Configuration 1 [-]

OR cpe:2.3:a:webpack.js:loader-utils:*:*:*:*:*:*:*:*
cpe:2.3:a:webpack.js:loader-utils:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
References
Link Resource
http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf Technical Description
https://dl.acm.org/doi/abs/10.1145/3488932.3497769 Technical Description
https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 Technical Description
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11 Product
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47 Product
https://github.com/webpack/loader-utils/issues/212 Issue Tracking Third Party Advisory
https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884 Exploit Issue Tracking Third Party Advisory
https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826 Exploit Issue Tracking Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html Third Party Advisory
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-10-12T00:00:00

Updated: 2024-05-10T15:59:24.822577

Reserved: 2022-08-08T00:00:00

Link: CVE-2022-37601

JSON object: View

cve-icon NVD Information

Status : Modified

Published: 2022-10-12T20:15:11.263

Modified: 2024-05-14T11:13:00.253

Link: CVE-2022-37601

JSON object: View

cve-icon Redhat Information

No data.

CWE