CVE-2022-37616

描述

## Withdrawn This advisory has been withdrawn because the maintainers of `@xmldom/xmldom` and multiple third parties disputed the validity of the issue. Attempts to create or replicate a proof of concept have been unsuccessful. ## Original Description ### Impact A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package. ### Patches Update to `@xmldom/xmldom@~0.7.6`, `@xmldom/xmldom@~0.8.3` (dist-tag `latest`) or `@xmldom/xmldom@>=0.9.0-beta.2` (dist-tag `next`). ### Workarounds None ### References https://github.com/xmldom/xmldom/pull/437 ### For more information If you have any questions or comments about this advisory: * Email us at [email protected] * Add information to https://github.com/xmldom/xmldom/issues/436

受影響套件(4)

• Debian/node-xmldomfrom 0, < 0.5.0-1+deb11u1
• Debian/node-xmldomfrom 0, < 0.1.27+ds-1+deb10u1
• npm/xmldomfrom 0, <= 0.6.0
• npm/@xmldom/xmldom>= 0.8.0, < 0.8.3

CVSS 分數

參考連結(15)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-37616
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-37616
• PATCHhttps://github.com/xmldom/xmldom
• WEBhttps://dl.acm.org/doi/abs/10.1145/3488932.3497769
• WEBhttps://dl.acm.org/doi/pdf/10.1145/3488932.3497769
• WEBhttps://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L1
• WEBhttps://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L3
• WEBhttps://github.com/xmldom/xmldom/blob/master/CHANGELOG.md#076
• WEBhttps://github.com/xmldom/xmldom/issues/436
• WEBhttps://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826
• WEBhttps://github.com/xmldom/xmldom/issues/436#issuecomment-1327776560
• WEBhttps://github.com/xmldom/xmldom/pull/437
• WEBhttps://github.com/xmldom/xmldom/security/advisories/GHSA-9pgh-qqpf-7wqj
• WEBhttps://lists.debian.org/debian-lts-announce/2022/10/msg00023.html
• WEBhttp://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf