Bug 2179227 (CVE-2023-28154) - CVE-2023-28154 webpack: avoid cross-realm objects
Summary: CVE-2023-28154 webpack: avoid cross-realm objects
Alias: CVE-2023-28154
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2179835 2179837 2179900 2179901 2179902 2180889
Blocks: 2177766
TreeView+ depends on / blocked
Reported: 2023-03-17 05:33 UTC by Sandipan Roy
Modified: 2023-05-09 19:44 UTC (History)
99 users (show)

Fixed In Version: webpack 5.76.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the webpack package, which could allow a remote attacker to bypass security restrictions caused by the mishandling of the magic comment feature by the ImportParserPlugin.js. This flaw allows an attacker to gain access to the real global object by sending a specially-crafted request.
Clone Of:
Last Closed: 2023-05-09 19:44:22 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1591 0 None None None 2023-04-04 09:26:18 UTC

Description Sandipan Roy 2023-03-17 05:33:16 UTC
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.


Comment 1 Avinash Hanwate 2023-03-20 08:38:58 UTC
Created golang-entgo-ent tracking bugs for this issue:

Affects: fedora-all [bug 2179835]

Created pcs tracking bugs for this issue:

Affects: fedora-all [bug 2179837]

Comment 8 errata-xmlrpc 2023-04-04 09:26:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1591 https://access.redhat.com/errata/RHSA-2023:1591

Comment 10 Product Security DevOps Team 2023-05-09 19:44:16 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.