CVE-2022-37601

Aliases:GHSA-76p3-8jx3-jpfq
Advisory lineage Upstream: 0 Downstream: 5
Modified
Published: 12 Oct 2022, 00:00
Last modified:28 Oct 2024, 19:41

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.8 CRITICAL
v3.1 (nvd)
EPSS Score
18.84% MEDIUM
19% probability -0.43%
KEV
Not listed
Ransomware
No reports
Public exploits
2 found
Dark Web
Not detected

Timeline

12 Oct 2022, 00:00
Published
Vulnerability first disclosed
28 Oct 2024, 19:41
Last Modified
Vulnerability information updated

Description

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

CVSS Metrics

  • v3.1CRITICALScore: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • v3.1MEDIUMScore: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Trends

Current EPSS score: 18.84% Percentile: 95%

Techniques & Countermeasures

  • CWE-1321Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

    The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

  • CWE-915Improperly Controlled Modification of Dynamically-Determined Object Attributes

    The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Affected Systems

  • debiandebian_linux

    10.0

  • Npmloader-utils

    ≥ 2.0.0, < 2.0.3 | < 1.4.1

  • webpack.jsloader-utils

    < 1.4.1 | ≥ 2.0.0, < 2.0.3

  • wordpresselasticpress

    ≤ 4.3.1

  • wordpressinsert-special-characters

    ≤ 1.0.5

  • wordpressmaps-block-apple

    ≤ 1.0.3

References (19)