Bug 2134876 (CVE-2022-37601)

Summary: CVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.js
Product: [Other] Security Response Reporter: juneau
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adudiak, agerstmayr, aileenc, alazarot, anbehl, asoldano, balejosg, bbaranow, bbuckingham, bcourt, bdettelb, bmaxwell, boliveir, brian.stansberry, btotty, caswilli, cdewolf, chazlett, cluster-maint, darran.lofthouse, dcadzow, dffrench, dkenigsb, dkreling, dkuc, dosoudil, drieden, ehelms, ellin, emingora, eric.wittmann, fdeutsch, fdupont, fjansen, fjuma, fmuellner, fzatlouk, gjospin, gmalinko, grafana-maint, gzaronik, ibek, idevat, idm-ds-dev-bugs, ikanias, iweiss, janstey, jary, jburrell, jcantril, jhorak, jkoehler, jkurik, jpavlik, jrokos, jshaughn, jsherril, jstastny, jwendell, jwong, jwon, kaycoth, klember, kshier, kverlaen, lgao, lzap, mhulan, micjohns, mlisik, mnovotny, mokumar, mosmerov, mpitt, mpospisi, mresvani, msochure, msvehla, mwringe, myarboro, nathans, nboldt, ngough, nmoumoul, nwallace, omular, orabin, oramraz, oskutka, ovanders, pantinor, pcreech, pdelbell, pdrozd, peholase, periklis, pjindal, pmackay, psegedy, pskopek, rcernich, rchan, rgarg, rgodfrey, rguimara, rrajasek, rravi, rstancel, scorneli, scox, sdayan, sfowler, shbose, smaestri, smullick, sthirugn, sthorger, stransky, tcarlin, tkasparek, tohughes, tojeline, tom.jenkinson, tpopela, tsasak, twalsh, ubhargav, vkrizan, vkumar, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: loader-utils 1.4.1, loader-utils 2.0.3 Doc Type: If docs needed, set a value
Doc Text:
A prototype pollution vulnerability was found in the parseQuery function in parseQuery.js in the webpack loader-utils via the name variable in parseQuery.js. This flaw can lead to a denial of service or remote code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-22 01:22:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2149392, 2134881, 2149351, 2149352, 2149353, 2149354, 2149355, 2149356, 2149357, 2149358, 2149393, 2149400, 2149401, 2149402, 2149403, 2149404, 2149405    
Bug Blocks: 2134712    

Description juneau 2022-10-14 14:06:41 UTC 
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

loader-utils prior to version 3 is deprecated and no longer supported

External Reference:
https://github.com/webpack/loader-utils/issues/212
Comment 12 Chess Hazlett 2022-11-29 19:37:08 UTC 
Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-7 [bug 2149392]


Created seamonkey tracking bugs for this issue:

Affects: epel-8 [bug 2149393]
Comment 21 errata-xmlrpc 2023-01-19 11:04:42 UTC 
This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2023:0264 https://access.redhat.com/errata/RHSA-2023:0264
Comment 22 Product Security DevOps Team 2023-01-22 01:22:34 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-37601
Comment 23 errata-xmlrpc 2023-02-28 00:50:30 UTC 
This issue has been addressed in the following products:

  MTA-6.0-RHEL-8

Via RHSA-2023:0934 https://access.redhat.com/errata/RHSA-2023:0934