Lucene search

K
githubGitHub Advisory DatabaseGHSA-HC6Q-2MPP-QW7J
HistoryMar 13, 2023 - 3:30 a.m.

Cross-realm object access in Webpack 5

2023-03-1303:30:15
GitHub Advisory Database
github.com
75
webpack
vulnerability
cross-realm
object access
importparserplugin.js
magic comment
attacker
global object

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

61.2%

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Affected configurations

Vulners
Node
github_advisory_databasewebpackRange<5.76.0
CPENameOperatorVersion
webpacklt5.76.0

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

61.2%