CVE-2022-37601

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
References
Link Resource
http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf Technical Description
https://dl.acm.org/doi/abs/10.1145/3488932.3497769 Technical Description
https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 Technical Description
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11 Product
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47 Product
https://github.com/webpack/loader-utils/issues/212 Issue Tracking Third Party Advisory
https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884 Exploit Issue Tracking Third Party Advisory
https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826 Exploit Issue Tracking Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html Third Party Advisory
http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf Technical Description
https://dl.acm.org/doi/abs/10.1145/3488932.3497769 Technical Description
https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 Technical Description
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11 Product
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47 Product
https://github.com/webpack/loader-utils/issues/212 Issue Tracking Third Party Advisory
https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884 Exploit Issue Tracking Third Party Advisory
https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826 Exploit Issue Tracking Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:webpack.js:loader-utils:*:*:*:*:*:*:*:*
cpe:2.3:a:webpack.js:loader-utils:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

21 Nov 2024, 07:15

Type Values Removed Values Added
References () http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf - Technical Description () http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf - Technical Description
References () https://dl.acm.org/doi/abs/10.1145/3488932.3497769 - Technical Description () https://dl.acm.org/doi/abs/10.1145/3488932.3497769 - Technical Description
References () https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 - Technical Description () https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 - Technical Description
References () https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11 - Product () https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11 - Product
References () https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47 - Product () https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47 - Product
References () https://github.com/webpack/loader-utils/issues/212 - Issue Tracking, Third Party Advisory () https://github.com/webpack/loader-utils/issues/212 - Issue Tracking, Third Party Advisory
References () https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884 - Exploit, Issue Tracking, Third Party Advisory () https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884 - Exploit, Issue Tracking, Third Party Advisory
References () https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826 - Exploit, Issue Tracking, Third Party Advisory () https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826 - Exploit, Issue Tracking, Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html - Third Party Advisory () https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html - Third Party Advisory

14 May 2024, 11:13

Type Values Removed Values Added
Summary (en) Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js. (en) Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

28 Feb 2023, 15:02

Type Values Removed Values Added
CPE cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html - Third Party Advisory
  • (MISC) https://dl.acm.org/doi/abs/10.1145/3488932.3497769 - Technical Description
  • (MISC) https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 - Technical Description
  • (MISC) https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884 - Exploit, Issue Tracking, Third Party Advisory
  • (MISC) https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826 - Exploit, Issue Tracking, Third Party Advisory
  • (MISC) http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf - Technical Description
References (MISC) https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47 - Exploit, Third Party Advisory (MISC) https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47 - Product
References (MISC) https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11 - Exploit, Third Party Advisory (MISC) https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11 - Product

26 Oct 2022, 13:31

Type Values Removed Values Added
CPE cpe:2.3:a:webpack.js:loader-utils:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:webpack.js:loader-utils:*:*:*:*:*:*:*:*
References (MISC) https://github.com/webpack/loader-utils/issues/212 - Third Party Advisory (MISC) https://github.com/webpack/loader-utils/issues/212 - Issue Tracking, Third Party Advisory

13 Oct 2022, 18:25

Type Values Removed Values Added
New CVE

Information

Published : 2022-10-12 20:15

Updated : 2024-11-21 07:15


NVD link : CVE-2022-37601

Mitre link : CVE-2022-37601

CVE.ORG link : CVE-2022-37601


JSON object : View

Products Affected

debian

  • debian_linux

webpack.js

  • loader-utils
CWE
CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')