CVE Vulnerabilities

CVE-2022-37601

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Published: Oct 12, 2022 | Modified: Nov 21, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
8.1 IMPORTANT
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

Weakness

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Affected Software

Name Vendor Start Version End Version
Loader-utils Webpack.js * 1.4.1 (excluding)
Loader-utils Webpack.js 2.0.0 (including) 2.0.3 (excluding)
MTA-6.0-RHEL-8 RedHat mta/mta-ui-rhel8:6.0.1-10 *
RHOL-5.6-RHEL-8 RedHat openshift-logging/logging-view-plugin-rhel8:v5.6.0-28 *
Node-loader-utils Ubuntu bionic *
Node-loader-utils Ubuntu focal *
Node-loader-utils Ubuntu kinetic *
Node-loader-utils Ubuntu lunar *
Node-loader-utils Ubuntu mantic *
Node-loader-utils Ubuntu oracular *
Node-loader-utils Ubuntu trusty *
Node-loader-utils Ubuntu xenial *

Potential Mitigations

References