You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Vulnerable Library - webpack-5.74.0.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.74.0.tgz
Path to dependency file: /fixtures/flight/package.json
Path to vulnerable library: /fixtures/flight/node_modules/webpack/package.json
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-28154
Vulnerable Library - webpack-5.74.0.tgz
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Library home page: https://registry.npmjs.org/webpack/-/webpack-5.74.0.tgz
Path to dependency file: /fixtures/flight/package.json
Path to vulnerable library: /fixtures/flight/node_modules/webpack/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Publish Date: 2023-03-13
URL: CVE-2023-28154
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2023-03-13
Fix Resolution: 5.76.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-23364
Vulnerable Library - browserslist-4.15.0.tgz
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.15.0.tgz
Path to dependency file: /fixtures/flight/package.json
Path to vulnerable library: /fixtures/flight/node_modules/webpack/node_modules/browserslist/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution (browserslist): 4.16.5
Direct dependency fix Resolution (webpack): 5.75.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
The text was updated successfully, but these errors were encountered: