xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.
References
Link | Resource |
---|---|
https://github.com/jindw/xmldom/issues/150 | Exploit Issue Tracking Third Party Advisory |
https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883 | Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html | Mailing List Third Party Advisory |
https://github.com/jindw/xmldom/issues/150 | Exploit Issue Tracking Third Party Advisory |
https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883 | Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html | Mailing List Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
21 Nov 2024, 07:18
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/jindw/xmldom/issues/150 - Exploit, Issue Tracking, Third Party Advisory | |
References | () https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883 - Third Party Advisory | |
References | () https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html - Mailing List, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.4 |
01 Mar 2023, 14:03
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | |
CWE | CWE-1288 | |
References |
|
04 Nov 2022, 12:29
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-20 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
References | (CONFIRM) https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883 - Third Party Advisory | |
References | (MISC) https://github.com/jindw/xmldom/issues/150 - Exploit, Issue Tracking, Third Party Advisory | |
CPE | cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:* cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta2:*:*:*:node.js:*:* cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta3:*:*:*:node.js:*:* cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta1:*:*:*:node.js:*:* |
02 Nov 2022, 17:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-11-02 17:15
Updated : 2024-11-21 07:18
NVD link : CVE-2022-39353
Mitre link : CVE-2022-39353
CVE.ORG link : CVE-2022-39353
JSON object : View
Products Affected
debian
- debian_linux
xmldom_project
- xmldom