Описание
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
A flaw was found in the webpack package, which could allow a remote attacker to bypass security restrictions caused by the mishandling of the magic comment feature by the ImportParserPlugin.js. This flaw allows an attacker to gain access to the real global object by sending a specially-crafted request.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Developer Tools and Services | odo | Affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-ui-rhel8 | Affected | ||
| OpenShift Service Mesh 2.1 | servicemesh-grafana | Not affected | ||
| OpenShift Service Mesh 2.1 | servicemesh-prometheus | Not affected | ||
| Red Hat A-MQ Online | webpack | Affected | ||
| Red Hat Ansible Automation Platform 2 | aap-azure-ui | Not affected | ||
| Red Hat build of Apicurio Registry 2 | webpack | Not affected | ||
| Red Hat Data Grid 8 | webpack | Not affected | ||
| Red Hat Decision Manager 7 | webpack | Not affected | ||
| Red Hat Enterprise Linux 6 | firefox | Not affected |
Показывать по
Дополнительная информация
Статус:
9.1 Critical
CVSS3
Связанные уязвимости
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Webpack 5 before 5.76.0 does not avoid cross-realm object access. Impo ...
9.1 Critical
CVSS3