Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-37601

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

Published

2022-10-12T20:15:11.263

Last Modified

2024-11-21T07:15:02.190

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Primary
CWE-1321

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	webpack.js	loader-utils	< 1.4.1	Yes
Application	webpack.js	loader-utils	< 2.0.3	Yes
Operating System	debian	debian_linux	10.0	Yes

References

http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf Technical Description ([email protected])
https://dl.acm.org/doi/abs/10.1145/3488932.3497769 Technical Description ([email protected])
https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 Technical Description ([email protected])
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11 Product ([email protected])
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47 Product ([email protected])
https://github.com/webpack/loader-utils/issues/212 Issue Tracking, Third Party Advisory ([email protected])
https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884 Exploit, Issue Tracking, Third Party Advisory ([email protected])
https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826 Exploit, Issue Tracking, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html Third Party Advisory ([email protected])
http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf Technical Description (af854a3a-2127-422b-91ae-364da2661108)
https://dl.acm.org/doi/abs/10.1145/3488932.3497769 Technical Description (af854a3a-2127-422b-91ae-364da2661108)
https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 Technical Description (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11 Product (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47 Product (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/webpack/loader-utils/issues/212 Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884 Exploit, Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826 Exploit, Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)