[Pkg-javascript-devel] Bug#1081906: node-webpack: CVE-2024-43788
Moritz Mühlenhoff
jmm at inutil.org
Sun Sep 15 22:16:26 BST 2024
Source: node-webpack
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-webpack.
CVE-2024-43788[0]:
| Webpack is a module bundler. Its main purpose is to bundle
| JavaScript files for usage in a browser, yet it is also capable of
| transforming, bundling, or packaging just about any resource or
| asset. The webpack developers have discovered a DOM Clobbering
| vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM
| Clobbering gadget in the module can lead to cross-site scripting
| (XSS) in web pages where scriptless attacker-controlled HTML
| elements (e.g., an `img` tag with an unsanitized `name` attribute)
| are present. Real-world exploitation of this gadget has been
| observed in the Canvas LMS which allows a XSS attack to happen
| through a javascript code compiled by Webpack (the vulnerable part
| is from Webpack). DOM Clobbering is a type of code-reuse attack
| where the attacker first embeds a piece of non-script, seemingly
| benign HTML markups in the webpage (e.g. through a post or comment)
| and leverages the gadgets (pieces of js code) living in the existing
| javascript code to transform it into executable code. This
| vulnerability can lead to cross-site scripting (XSS) on websites
| that include Webpack-generated files and allow users to inject
| certain scriptless HTML tags with improperly sanitized name or id
| attributes. This issue has been addressed in release version 5.94.0.
| All users are advised to upgrade. There are no known workarounds for
| this issue.
https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61 (v5.94.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-43788
https://www.cve.org/CVERecord?id=CVE-2024-43788
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-javascript-devel
mailing list