[Pkg-javascript-devel] Bug#1077543: requirejs: CVE-2024-38998 CVE-2024-38999
Moritz Mühlenhoff
jmm at inutil.org
Mon Jul 29 20:29:21 BST 2024
Source: requirejs
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for requirejs.
CVE-2024-38998[0]:
| jrburke requirejs v2.3.6 was discovered to contain a prototype
| pollution via the function config. This vulnerability allows
| attackers to execute arbitrary code or cause a Denial of Service
| (DoS) via injecting arbitrary properties.
https://gist.github.com/mestrtee/9acae342285bd2998fa09ebcb1e6d30a
CVE-2024-38999[1]:
| jrburke requirejs v2.3.6 was discovered to contain a prototype
| pollution via the function s.contexts._.configure. This
| vulnerability allows attackers to execute arbitrary code or cause a
| Denial of Service (DoS) via injecting arbitrary properties.
https://gist.github.com/mestrtee/9acae342285bd2998fa09ebcb1e6d30a
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-38998
https://www.cve.org/CVERecord?id=CVE-2024-38998
[1] https://security-tracker.debian.org/tracker/CVE-2024-38999
https://www.cve.org/CVERecord?id=CVE-2024-38999
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-javascript-devel
mailing list