CVE-2022-37601

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-37601
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf Technical Description
https://dl.acm.org/doi/abs/10.1145/3488932.3497769 Technical Description
https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 Technical Description
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11 Product
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47 Product
https://github.com/webpack/loader-utils/issues/212 Issue Tracking Third Party Advisory
https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884 Exploit Issue Tracking Third Party Advisory
https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826 Exploit Issue Tracking Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html Third Party Advisory
http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf Technical Description
https://dl.acm.org/doi/abs/10.1145/3488932.3497769 Technical Description
https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 Technical Description
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11 Product
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47 Product
https://github.com/webpack/loader-utils/issues/212 Issue Tracking Third Party Advisory
https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884 Exploit Issue Tracking Third Party Advisory
https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826 Exploit Issue Tracking Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:webpack.js:loader-utils:*:*:*:*:*:*:*:*
cpe:2.3:a:webpack.js:loader-utils:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
History

21 Nov 2024, 07:15

Type Values Removed Values Added
References () http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf - Technical Description () http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf - Technical Description
References () https://dl.acm.org/doi/abs/10.1145/3488932.3497769 - Technical Description () https://dl.acm.org/doi/abs/10.1145/3488932.3497769 - Technical Description
References () https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 - Technical Description () https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 - Technical Description
References () https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11 - Product () https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11 - Product
References () https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47 - Product () https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47 - Product
References () https://github.com/webpack/loader-utils/issues/212 - Issue Tracking, Third Party Advisory () https://github.com/webpack/loader-utils/issues/212 - Issue Tracking, Third Party Advisory
References () https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884 - Exploit, Issue Tracking, Third Party Advisory () https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884 - Exploit, Issue Tracking, Third Party Advisory
References () https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826 - Exploit, Issue Tracking, Third Party Advisory () https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826 - Exploit, Issue Tracking, Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html - Third Party Advisory () https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html - Third Party Advisory

14 May 2024, 11:13

Type Values Removed Values Added
Summary (en) Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js. (en) Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Information

Published : 2022-10-12 20:15

Updated : 2024-11-21 07:15

NVD link : CVE-2022-37601

Mitre link : CVE-2022-37601

CVE.ORG link : CVE-2022-37601

JSON object : View

Products Affected

webpack.js

  • loader-utils

debian

  • debian_linux
CWE
CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024