CVE-2023-28154

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-28154

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28154.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-28154

Aliases

GHSA-hc6q-2mpp-qw7j

Related

Published

2023-03-13T01:15:10Z

Modified

2025-02-14T11:43:59.682342Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

References

Affected packages

Debian:11 / node-webpack

Package

Name: node-webpack
Purl: pkg:deb/debian/node-webpack?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.43.0-6+deb11u1

Affected versions

4.*

4.43.0-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / node-webpack

Package

Name: node-webpack
Purl: pkg:deb/debian/node-webpack?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.75.0+dfsg+~cs17.16.14-1+deb12u1

Affected versions

5.*

5.75.0+dfsg+~cs17.16.14-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / node-webpack

Package

Name: node-webpack
Purl: pkg:deb/debian/node-webpack?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.76.1+dfsg1+~cs17.16.16-1

Affected versions

5.*

5.75.0+dfsg+~cs17.16.14-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/webpack/webpack

Affected ranges

Type: GIT
Repo: https://github.com/webpack/webpack
Events: Introduced

610f36817af1f1c6929786d68f734ac582af1757

Fixed

97b1718720c33f1b17302a74c5284b01e02ec001

Affected versions

v5.*

v5.0.0

v5.1.0

v5.1.1

v5.1.2

v5.1.3

v5.10.0

v5.10.1

v5.10.2

v5.10.3

v5.11.0

v5.11.1

v5.12.0

v5.12.1

v5.12.2

v5.12.3

v5.13.0

v5.14.0

v5.15.0

v5.16.0

v5.17.0

v5.18.0

v5.19.0

v5.2.0

v5.2.1

v5.20.0

v5.20.1

v5.20.2

v5.21.0

v5.21.2

v5.22.0

v5.23.0

v5.24.0

v5.24.1

v5.24.2

v5.24.3

v5.24.4

v5.25.0

v5.25.1

v5.26.0

v5.26.1

v5.26.2

v5.26.3

v5.27.0

v5.27.1

v5.27.2

v5.28.0

v5.29.0

v5.3.0

v5.3.1

v5.3.2

v5.30.0

v5.31.0

v5.31.1

v5.31.2

v5.32.0

v5.33.0

v5.33.1

v5.33.2

v5.34.0

v5.35.0

v5.35.1

v5.36.0

v5.36.1

v5.36.2

v5.37.0

v5.37.1

v5.38.0

v5.38.1

v5.39.0

v5.39.1

v5.4.0

v5.40.0

v5.41.0

v5.41.1

v5.42.0

v5.42.1

v5.43.0

v5.44.0

v5.45.0

v5.45.1

v5.46.0

v5.47.0

v5.47.1

v5.48.0

v5.49.0

v5.5.0

v5.5.1

v5.50.0

v5.51.0

v5.51.1

v5.51.2

v5.52.0

v5.52.1

v5.53.0

v5.54.0

v5.55.0

v5.55.1

v5.56.0

v5.56.1

v5.57.0

v5.57.1

v5.58.0

v5.58.1

v5.58.2

v5.59.0

v5.59.1

v5.6.0

v5.60.0

v5.61.0

v5.62.0

v5.62.1

v5.62.2

v5.63.0

v5.64.0

v5.64.1

v5.64.2

v5.64.3

v5.64.4

v5.65.0

v5.66.0

v5.67.0

v5.68.0

v5.69.0

v5.69.1

v5.7.0

v5.70.0

v5.71.0

v5.72.0

v5.72.1

v5.73.0

v5.74.0

v5.75.0

v5.8.0

v5.9.0