2179227 – (CVE-2023-28154) CVE-2023-28154 webpack: avoid cross-realm objects

Bug 2179227 (CVE-2023-28154) - CVE-2023-28154 webpack: avoid cross-realm objects

Summary: CVE-2023-28154 webpack: avoid cross-realm objects

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2023-28154
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2179835 2179837 2179900 2179901 2179902 2180889
Blocks:	2177766
TreeView+	depends on / blocked

Reported:	2023-03-17 05:33 UTC by Sandipan Roy
Modified:	2023-05-09 19:44 UTC (History)
CC List:	99 users (show)
Fixed In Version:	webpack 5.76.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the webpack package, which could allow a remote attacker to bypass security restrictions caused by the mishandling of the magic comment feature by the ImportParserPlugin.js. This flaw allows an attacker to gain access to the real global object by sending a specially-crafted request.
Clone Of:
Environment:
Last Closed:	2023-05-09 19:44:22 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:1591	0	None	None	None	2023-04-04 09:26:18 UTC

Description Sandipan Roy 2023-03-17 05:33:16 UTC

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0
https://github.com/webpack/webpack/pull/16500
https://github.com/webpack/webpack/commit/4b4ca3bb53f36a5b8fc6bc1bd976ed7af161bd80

Comment 1 Avinash Hanwate 2023-03-20 08:38:58 UTC

Created golang-entgo-ent tracking bugs for this issue:

Affects: fedora-all [bug 2179835]


Created pcs tracking bugs for this issue:

Affects: fedora-all [bug 2179837]

Comment 8 errata-xmlrpc 2023-04-04 09:26:14 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1591 https://access.redhat.com/errata/RHSA-2023:1591

Comment 10 Product Security DevOps Team 2023-05-09 19:44:16 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-28154

Note You need to log in before you can comment on or make changes to this bug.

aileenc
alampare
alazarot
asoldano
bbaranow
bbuckingham
bcourt
bdettelb
bmaxwell
brian.stansberry
cdewolf
chazlett
cluster-maint
cwelton
darran.lofthouse
davidn
dfreiber
dhanak
dkreling
dosoudil
dshah
ehelms
ellin
emingora
epacific
erack
eric.wittmann
fjuma
fmuellner
fzatlouk
gjospin
gmalinko
grafana-maint
gzaronik
hbraun
ibek
idevat
ivassile
iweiss
janstey
jburrell
jcammara
jhardy
jhorak
jkurik
jneedle
jobarker
jpavlik
jrokos
jsherril
jwendell
klember
kverlaen
lbacciot
lgao
lzap
mabashia
mhulan
mlisik
mnovotny
mokumar
mosmerov
mpospisi
msochure
msvehla
myarboro
nathans
nboldt
nmoumoul
nwallace
omular
orabin
osapryki
pantinor
pcreech
pdelbell
peholase
pjindal
pmackay
rcernich
rchan
rguimara
rogbas
rrajasek
rstancel
scorneli
scox
simaishi
smaestri
smcdonal
stransky
teagle
tojeline
tom.jenkinson
tpopela
twalsh
vkumar
yguenane
zsadeh