Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2022-39353

Опубликовано: 02 нояб. 2022
Источник: nvd
CVSS3: 9.4
CVSS3: 9.8
EPSS Низкий

Описание

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the documentElementor reject a document with a document that has more then 1 childNode.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*
Версия до 0.6.0 (исключая)
cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*
Версия от 0.7.0 (включая) до 0.7.7 (исключая)
cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*
Версия от 0.8.0 (включая) до 0.8.4 (исключая)
cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta3:*:*:*:node.js:*:*
Конфигурация 2
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

EPSS

Процентиль: 79%
0.0127
Низкий

9.4 Critical

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-20
CWE-20

Связанные уязвимости

ubuntu логотип

CVE-2022-39353

CVSS3: 9.4
ubuntu
больше 3 лет назад

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.

redhat логотип

CVE-2022-39353

CVSS3: 9.4
redhat
больше 3 лет назад

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.

msrc логотип

CVE-2022-39353

CVSS3: 9.8
msrc
больше 1 года назад

Описание отсутствует

debian логотип

CVE-2022-39353

CVSS3: 9.4
debian
больше 3 лет назад

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) ...

github логотип

GHSA-crh6-fp67-6883

CVSS3: 9.8
github
больше 3 лет назад

xmldom allows multiple root nodes in a DOM

EPSS

Процентиль: 79%
0.0127
Низкий

9.4 Critical

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-20
CWE-20