Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-28154
HistoryMar 13, 2023 - 12:00 a.m.

CVE-2023-28154

2023-03-1300:00:00
ubuntu.com
ubuntu.com
51
webpack
vulnerability
cross-realm object access

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

61.2%

Webpack 5 before 5.76.0 does not avoid cross-realm object access.
ImportParserPlugin.js mishandles the magic comment feature. An attacker who
controls a property of an untrusted object can obtain access to the real
global object.

Bugs

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

61.2%