Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
References
Configurations
History
21 Nov 2024, 07:54
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0 - Patch, Product | |
References | () https://github.com/webpack/webpack/pull/16500 - Patch | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G/ - | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3/ - | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D/ - |
22 Apr 2023, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
17 Mar 2023, 15:19
Type | Values Removed | Values Added |
---|---|---|
CWE | NVD-CWE-noinfo | |
References | (MISC) https://github.com/webpack/webpack/pull/16500 - Patch | |
References | (MISC) https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0 - Patch, Product | |
CPE | cpe:2.3:a:webpack.js:webpack:*:*:*:*:*:node.js:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
13 Mar 2023, 01:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-03-13 01:15
Updated : 2024-11-21 07:54
NVD link : CVE-2023-28154
Mitre link : CVE-2023-28154
CVE.ORG link : CVE-2023-28154
JSON object : View
Products Affected
webpack.js
- webpack
CWE