Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object. https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0 https://github.com/webpack/webpack/pull/16500 https://github.com/webpack/webpack/commit/4b4ca3bb53f36a5b8fc6bc1bd976ed7af161bd80
Created golang-entgo-ent tracking bugs for this issue: Affects: fedora-all [bug 2179835] Created pcs tracking bugs for this issue: Affects: fedora-all [bug 2179837]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:1591 https://access.redhat.com/errata/RHSA-2023:1591
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-28154