UBUNTU-CVE-2022-39353

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2022-39353

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-39353.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2022-39353

Related

Published

2022-11-02T17:15:00Z

Modified

2024-10-15T14:10:10Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the documentElementor reject a document with a document that has more then 1 childNode.

References

Affected packages

Ubuntu:20.04:LTS / node-xmldom

Package

Name: node-xmldom
Purl: pkg:deb/ubuntu/node-xmldom?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.1.27+ds-1+deb10u2build0.20.04.1

Affected versions

0.*

0.1.27+ds-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "0.1.27+ds-1+deb10u2build0.20.04.1",
            "binary_name": "node-xmldom"
        }
    ]
}

Ubuntu:22.04:LTS / node-xmldom

Package

Name: node-xmldom
Purl: pkg:deb/ubuntu/node-xmldom?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.7.5-1ubuntu0.22.04.1

Affected versions

0.*

0.5.0-1

0.7.3-1

0.7.5-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "0.7.5-1ubuntu0.22.04.1",
            "binary_name": "node-xmldom"
        }
    ]
}

Ubuntu:24.10 / node-xmldom

Package

Name: node-xmldom
Purl: pkg:deb/ubuntu/node-xmldom?arch=src?distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.8.6-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / node-xmldom

Package

Name: node-xmldom
Purl: pkg:deb/ubuntu/node-xmldom?arch=src?distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.8.6-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}