2134876 – (CVE-2022-37601) CVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.js

Bug 2134876 (CVE-2022-37601) - CVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.js

Summary: CVE-2022-37601 loader-utils: prototype pollution in function parseQuery in pa...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-37601
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2149392 2134881 2149351 2149352 2149353 2149354 2149355 2149356 2149357 2149358 2149393 2149400 2149401 2149402 2149403 2149404 2149405
Blocks:	2134712
TreeView+	depends on / blocked

Reported:	2022-10-14 14:06 UTC by juneau
Modified:	2023-09-01 04:13 UTC (History)
CC List:	130 users (show)
Fixed In Version:	loader-utils 1.4.1, loader-utils 2.0.3
Doc Type:	If docs needed, set a value
Doc Text:	A prototype pollution vulnerability was found in the parseQuery function in parseQuery.js in the webpack loader-utils via the name variable in parseQuery.js. This flaw can lead to a denial of service or remote code execution.
Clone Of:
Environment:
Last Closed:	2023-01-22 01:22:40 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:0264	0	None	None	None	2023-01-19 11:04:49 UTC
Red Hat Product Errata	RHSA-2023:0934	0	None	None	None	2023-02-28 00:50:34 UTC

Description juneau 2022-10-14 14:06:41 UTC

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

loader-utils prior to version 3 is deprecated and no longer supported

External Reference:
https://github.com/webpack/loader-utils/issues/212

Comment 12 Chess Hazlett 2022-11-29 19:37:08 UTC

Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-7 [bug 2149392]


Created seamonkey tracking bugs for this issue:

Affects: epel-8 [bug 2149393]

Comment 21 errata-xmlrpc 2023-01-19 11:04:42 UTC

This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2023:0264 https://access.redhat.com/errata/RHSA-2023:0264

Comment 22 Product Security DevOps Team 2023-01-22 01:22:34 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-37601

Comment 23 errata-xmlrpc 2023-02-28 00:50:30 UTC

This issue has been addressed in the following products:

  MTA-6.0-RHEL-8

Via RHSA-2023:0934 https://access.redhat.com/errata/RHSA-2023:0934

Note You need to log in before you can comment on or make changes to this bug.

adudiak
agerstmayr
aileenc
alazarot
anbehl
asoldano
balejosg
bbaranow
bbuckingham
bcourt
bdettelb
bmaxwell
boliveir
brian.stansberry
btotty
caswilli
cdewolf
chazlett
cluster-maint
darran.lofthouse
dcadzow
dffrench
dkenigsb
dkreling
dkuc
dosoudil
drieden
ehelms
ellin
emingora
eric.wittmann
fdeutsch
fdupont
fjansen
fjuma
fmuellner
fzatlouk
gjospin
gmalinko
grafana-maint
gzaronik
ibek
idevat
idm-ds-dev-bugs
ikanias
iweiss
janstey
jary
jburrell
jcantril
jhorak
jkoehler
jkurik
jpavlik
jrokos
jshaughn
jsherril
jstastny
jwendell
jwong
jwon
kaycoth
klember
kshier
kverlaen
lgao
lzap
mhulan
micjohns
mlisik
mnovotny
mokumar
mosmerov
mpitt
mpospisi
mresvani
msochure
msvehla
mwringe
myarboro
nathans
nboldt
ngough
nmoumoul
nwallace
omular
orabin
oramraz
oskutka
ovanders
pantinor
pcreech
pdelbell
pdrozd
peholase
periklis
pjindal
pmackay
psegedy
pskopek
rcernich
rchan
rgarg
rgodfrey
rguimara
rrajasek
rravi
rstancel
scorneli
scox
sdayan
sfowler
shbose
smaestri
smullick
sthirugn
sthorger
stransky
tcarlin
tkasparek
tohughes
tojeline
tom.jenkinson
tpopela
tsasak
twalsh
ubhargav
vkrizan
vkumar
vmugicag