9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
66.1%
node-loader-utils is vulnerable to Prototype Pollution. The vulnerability exists in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js which allows an attacker to cause a prototype pollution.
users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf
dl.acm.org/doi/abs/10.1145/3488932.3497769
dl.acm.org/doi/pdf/10.1145/3488932.3497769
github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11
github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47
github.com/webpack/loader-utils/issues/212
github.com/webpack/loader-utils/issues/212#issuecomment-1319192884
github.com/xmldom/xmldom/issues/436#issuecomment-1319412826
lists.debian.org/debian-lts-announce/2022/12/msg00044.html
security-tracker.debian.org/tracker/CVE-2022-37601
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
66.1%