Описание
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| node-webpack | fixed | 5.76.1+dfsg1+~cs17.16.16-1 | package | |
| node-webpack | fixed | 5.75.0+dfsg+~cs17.16.14-1+deb12u1 | bookworm | package |
| node-webpack | fixed | 4.43.0-6+deb11u1 | bullseye | package |
| node-webpack | not-affected | buster | package |
Примечания
https://github.com/webpack/webpack/pull/16500
Merge commit: https://github.com/webpack/webpack/commit/4b4ca3bb53f36a5b8fc6bc1bd976ed7af161bd80 (v5.76.0)
EPSS
Связанные уязвимости
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
EPSS