Bug 2179227 (CVE-2023-28154)

Summary: CVE-2023-28154 webpack: avoid cross-realm objects
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, alampare, alazarot, asoldano, bbaranow, bbuckingham, bcourt, bdettelb, bmaxwell, brian.stansberry, cdewolf, chazlett, cluster-maint, cwelton, darran.lofthouse, davidn, dfreiber, dhanak, dkreling, dosoudil, dshah, ehelms, ellin, emingora, epacific, erack, eric.wittmann, fjuma, fmuellner, fzatlouk, gjospin, gmalinko, grafana-maint, gzaronik, hbraun, ibek, idevat, ivassile, iweiss, janstey, jburrell, jcammara, jhardy, jhorak, jkurik, jneedle, jobarker, jpavlik, jrokos, jsherril, jwendell, klember, kverlaen, lbacciot, lgao, lzap, mabashia, mhulan, mlisik, mnovotny, mokumar, mosmerov, mpospisi, msochure, msvehla, myarboro, nathans, nboldt, nmoumoul, nwallace, omular, orabin, osapryki, pantinor, pcreech, pdelbell, peholase, pjindal, pmackay, rcernich, rchan, rguimara, rogbas, rrajasek, rstancel, scorneli, scox, simaishi, smaestri, smcdonal, stransky, teagle, tojeline, tom.jenkinson, tpopela, twalsh, vkumar, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: webpack 5.76.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the webpack package, which could allow a remote attacker to bypass security restrictions caused by the mishandling of the magic comment feature by the ImportParserPlugin.js. This flaw allows an attacker to gain access to the real global object by sending a specially-crafted request.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 19:44:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2179835, 2179837, 2179900, 2179901, 2179902, 2180889    
Bug Blocks: 2177766    

Description Sandipan Roy 2023-03-17 05:33:16 UTC 
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0
https://github.com/webpack/webpack/pull/16500
https://github.com/webpack/webpack/commit/4b4ca3bb53f36a5b8fc6bc1bd976ed7af161bd80
Comment 1 Avinash Hanwate 2023-03-20 08:38:58 UTC 
Created golang-entgo-ent tracking bugs for this issue:

Affects: fedora-all [bug 2179835]


Created pcs tracking bugs for this issue:

Affects: fedora-all [bug 2179837]
Comment 8 errata-xmlrpc 2023-04-04 09:26:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1591 https://access.redhat.com/errata/RHSA-2023:1591
Comment 10 Product Security DevOps Team 2023-05-09 19:44:16 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-28154