Fix CVE–2023–28154

[debricked]

CVE–2023–28154

Vulnerability details

Description

NVD

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

GitHub

Cross-realm object access in Webpack 5

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

GitLab Advisory Database (Open Source Edition)

Cross-realm object access in Webpack 5

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

CVSS details - 9.8

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

References

    NVD - CVE-2023-28154
    Cross-realm object access in Webpack 5 · CVE-2023-28154 · GitHub Advisory Database · GitHub
    npm/webpack/CVE-2023-28154.yml · main · GitLab.org / GitLab Advisory Database Open Source Edition · GitLab
    Comparing v5.75.0...v5.76.0 · webpack/webpack · GitHub
    security: avoid cross-realm objects by Jack-Works · Pull Request #16500 · webpack/webpack · GitHub
    [SECURITY] Fedora 37 Update: pcs-0.11.5-2.fc37 - package-announce - Fedora Mailing-Lists
    [SECURITY] Fedora 38 Update: pcs-0.11.5-2.fc38 - package-announce - Fedora Mailing-Lists
    [SECURITY] Fedora 36 Update: pcs-0.11.5-2.fc36 - package-announce - Fedora Mailing-Lists

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE