Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-37598

Опубликовано: 20 окт. 2022
Источник: redhat
CVSS3: 9.8
EPSS Низкий

Описание

Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.

A prototype pollution vulnerability was found in UglifyJS, stemming from the DEFNODE function in ast.js via the name variable. Exploiting this flaw involves adding or altering properties of the Object.prototype through a "proto" or constructor payload, enabling an attacker to execute arbitrary code or causing a denial of service on the system.

Отчет

OpenShift Service Mesh is closed as wontfix, as @types/uglify-js is hoisted from the storybook, which is a dev dep only and does not affect the production Kiali container. Also, this dependency has been removed completely from OSSM 2.3. Upstream doesn't consider this as a vulnerability. Refer to the "External References" section for more details.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Migration Toolkit for Runtimesuglify-jsAffected
OpenShift Service Mesh 2openshift-service-mesh/kiali-rhel8Will not fix
OpenShift Service Mesh 2.0openshift-service-mesh/kiali-rhel8Will not fix
OpenShift Service Mesh 2.0servicemesh-grafanaWill not fix
OpenShift Service Mesh 2.0servicemesh-prometheusWill not fix
OpenShift Service Mesh 2.1openshift-service-mesh/kiali-rhel8Will not fix
OpenShift Service Mesh 2.1servicemesh-grafanaWill not fix
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/application-ui-rhel8Not affected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/console-rhel8Will not fix
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/grc-ui-rhel8Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-1321
https://bugzilla.redhat.com/show_bug.cgi?id=2142469uglify-js: Prototype pollution vulnerability in function DEFNODE in ast.js

EPSS

Процентиль: 74%
0.00796
Низкий

9.8 Critical

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-37598

CVSS3: 9.8
ubuntu
больше 3 лет назад

Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.

nvd логотип

CVE-2022-37598

CVSS3: 9.8
nvd
больше 3 лет назад

Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.

debian логотип

CVE-2022-37598

CVSS3: 9.8
debian
больше 3 лет назад

Prototype pollution vulnerability in function DEFNODE in ast.js in mis ...

github логотип

GHSA-wx5g-37jh-9gcr

CVSS3: 9.8
github
больше 3 лет назад

Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js.

EPSS

Процентиль: 74%
0.00796
Низкий

9.8 Critical

CVSS3