Headline
GHSA-9pgh-qqpf-7wqj: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom
Impact
A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3.
Patches
Update to @xmldom/[email protected] or higher or to @xmldom/[email protected] or higher if you are on the dist-tag next.
Workarounds
No, if you can not update to v0.8.3, please let us know, we would be able to also provide a patch update for version 0.7.x if required.
References
https://github.com/xmldom/xmldom/pull/437
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
- Add information to https://github.com/xmldom/xmldom/issue/436
Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’) in @xmldom/xmldom and xmldom
Moderate severity GitHub Reviewed Published Oct 11, 2022 in xmldom/xmldom
Package
npm @xmldom/xmldom (npm)
Affected versions
< 0.8.3
= 0.9.0-beta.1
Patched versions
0.8.3
0.9.0-beta.2
npm xmldom (npm)
<= 0.6.0
None
Description
Impact
A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3.
Patches
Update to @xmldom/[email protected] or higher or to @xmldom/[email protected] or higher if you are on the dist-tag next.
Workarounds
No, if you can not update to v0.8.3, please let us know, we would be able to also provide a patch update for version 0.7.x if required.
References
xmldom/xmldom#437
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
- Add information to https://github.com/xmldom/xmldom/issue/436
References
- GHSA-9pgh-qqpf-7wqj
- https://nvd.nist.gov/vuln/detail/CVE-2022-37616
- xmldom/xmldom#436
- xmldom/xmldom#437
- https://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L1
- https://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L3
karfau published the maintainer security advisory
Oct 11, 2022
Severity
Moderate
6.4
/ 10
CVSS base metrics
Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
Low
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L
Weaknesses
CWE-1321
CVE ID
CVE-2022-37616
GHSA ID
GHSA-9pgh-qqpf-7wqj
Source code
xmldom/xmldom
Credits
- Supraja9726
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
Ubuntu Security Notice 6102-1 - It was discovered that xmldom incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause unexpected syntactic changes during XML processing. This issue only affected Ubuntu 20.04 LTS. It was discovered that xmldom incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.
A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable.