CVE-2022-37601
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
12/10/2022
Last modified:
14/05/2024
Description
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:webpack.js:loader-utils:*:*:*:*:*:*:*:* | 1.4.1 (excluding) | |
| cpe:2.3:a:webpack.js:loader-utils:*:*:*:*:*:*:*:* | 2.0.0 (including) | 2.0.3 (excluding) |
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf
- https://dl.acm.org/doi/abs/10.1145/3488932.3497769
- https://dl.acm.org/doi/pdf/10.1145/3488932.3497769
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47
- https://github.com/webpack/loader-utils/issues/212
- https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884
- https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826
- https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html