Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oYzZxLTJtcHAtcXc3as4AAyD3
Cross-realm object access in Webpack 5
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Permalink: https://github.com/advisories/GHSA-hc6q-2mpp-qw7jJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oYzZxLTJtcHAtcXc3as4AAyD3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 1 year ago
Updated: 7 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-hc6q-2mpp-qw7j, CVE-2023-28154
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-28154
- https://github.com/webpack/webpack/pull/16500
- https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0
- https://lists.fedoraproject.org/archives/list/[email protected]/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D/
- https://github.com/advisories/GHSA-hc6q-2mpp-qw7j
Blast Radius: 34.3
Affected Packages
npm:webpack
Dependent packages: 216,244Dependent repositories: 3,177
Downloads: 109,468,065 last month
Affected Version Ranges: >= 5.0.0, < 5.76.0
Fixed in: 5.76.0
All affected versions: 5.0.0, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.5.0, 5.5.1, 5.6.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, 5.10.1, 5.10.2, 5.10.3, 5.11.0, 5.11.1, 5.12.0, 5.12.1, 5.12.2, 5.12.3, 5.13.0, 5.14.0, 5.15.0, 5.16.0, 5.17.0, 5.18.0, 5.19.0, 5.20.0, 5.20.1, 5.20.2, 5.21.0, 5.21.1, 5.21.2, 5.22.0, 5.23.0, 5.24.0, 5.24.1, 5.24.2, 5.24.3, 5.24.4, 5.25.0, 5.25.1, 5.26.0, 5.26.1, 5.26.2, 5.26.3, 5.27.0, 5.27.1, 5.27.2, 5.28.0, 5.29.0, 5.30.0, 5.31.0, 5.31.1, 5.31.2, 5.32.0, 5.33.0, 5.33.1, 5.33.2, 5.34.0, 5.35.0, 5.35.1, 5.36.0, 5.36.1, 5.36.2, 5.37.0, 5.37.1, 5.38.0, 5.38.1, 5.39.0, 5.39.1, 5.40.0, 5.41.0, 5.41.1, 5.42.0, 5.42.1, 5.43.0, 5.44.0, 5.45.0, 5.45.1, 5.46.0, 5.47.0, 5.47.1, 5.48.0, 5.49.0, 5.50.0, 5.51.0, 5.51.1, 5.51.2, 5.52.0, 5.52.1, 5.53.0, 5.54.0, 5.55.0, 5.55.1, 5.56.0, 5.56.1, 5.57.0, 5.57.1, 5.58.0, 5.58.1, 5.58.2, 5.59.0, 5.59.1, 5.60.0, 5.61.0, 5.62.0, 5.62.1, 5.62.2, 5.63.0, 5.64.0, 5.64.1, 5.64.2, 5.64.3, 5.64.4, 5.65.0, 5.66.0, 5.67.0, 5.68.0, 5.69.0, 5.69.1, 5.70.0, 5.71.0, 5.72.0, 5.72.1, 5.73.0, 5.74.0, 5.75.0
All unaffected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.6, 0.2.7, 0.2.8, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.3.12, 0.3.13, 0.3.14, 0.3.15, 0.3.16, 0.3.17, 0.3.18, 0.3.19, 0.3.20, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.4.10, 0.4.11, 0.4.12, 0.4.13, 0.4.14, 0.4.15, 0.4.16, 0.4.17, 0.4.18, 0.4.19, 0.4.20, 0.4.21, 0.4.23, 0.4.24, 0.4.25, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8, 0.5.10, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.7.9, 0.7.11, 0.7.12, 0.7.13, 0.7.14, 0.7.15, 0.7.16, 0.7.17, 0.8.0, 0.8.2, 0.8.3, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.11.7, 0.11.8, 0.11.9, 0.11.10, 0.11.11, 0.11.12, 0.11.13, 0.11.14, 0.11.15, 0.11.16, 0.11.17, 0.11.18, 1.0.0, 1.0.1, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8, 1.9.9, 1.9.10, 1.9.11, 1.9.12, 1.9.13, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.11.0, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.12.10, 1.12.11, 1.12.12, 1.12.13, 1.12.14, 1.12.15, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.14.0, 1.15.0, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.7.0, 3.0.0, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.6.0, 3.7.0, 3.7.1, 3.8.0, 3.8.1, 3.9.0, 3.9.1, 3.10.0, 3.11.0, 3.12.0, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.2.0, 4.3.0, 4.4.0, 4.4.1, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.9.0, 4.9.1, 4.9.2, 4.10.0, 4.10.1, 4.10.2, 4.11.0, 4.11.1, 4.12.0, 4.12.1, 4.12.2, 4.13.0, 4.14.0, 4.15.0, 4.15.1, 4.16.0, 4.16.1, 4.16.2, 4.16.3, 4.16.4, 4.16.5, 4.17.0, 4.17.1, 4.17.2, 4.17.3, 4.18.0, 4.18.1, 4.19.0, 4.19.1, 4.20.0, 4.20.1, 4.20.2, 4.21.0, 4.22.0, 4.23.0, 4.23.1, 4.24.0, 4.25.0, 4.25.1, 4.26.0, 4.26.1, 4.27.0, 4.27.1, 4.28.0, 4.28.1, 4.28.2, 4.28.3, 4.28.4, 4.29.0, 4.29.1, 4.29.2, 4.29.3, 4.29.4, 4.29.5, 4.29.6, 4.30.0, 4.31.0, 4.32.0, 4.32.1, 4.32.2, 4.33.0, 4.34.0, 4.35.0, 4.35.1, 4.35.2, 4.35.3, 4.36.0, 4.36.1, 4.37.0, 4.38.0, 4.39.0, 4.39.1, 4.39.2, 4.39.3, 4.40.0, 4.40.1, 4.40.2, 4.40.3, 4.41.0, 4.41.1, 4.41.2, 4.41.3, 4.41.4, 4.41.5, 4.41.6, 4.42.0, 4.42.1, 4.43.0, 4.44.0, 4.44.1, 4.44.2, 4.45.0, 4.46.0, 4.47.0, 5.76.0, 5.76.1, 5.76.2, 5.76.3, 5.77.0, 5.78.0, 5.79.0, 5.80.0, 5.81.0, 5.82.0, 5.82.1, 5.83.0, 5.83.1, 5.84.0, 5.84.1, 5.85.0, 5.85.1, 5.86.0, 5.87.0, 5.88.0, 5.88.1, 5.88.2, 5.89.0, 5.90.0, 5.90.1, 5.90.2, 5.90.3, 5.91.0