Full stack solution using Vue.js, Azure Static Web Apps, Azure Function, Azure SQL Database and a microservice architecture to monitor in real-time public transportation data, create a geofence and send notification when geofence is activated
MIT License
0
stars
0
forks
source link
CVE-2022-39353 (Critical) detected in xmldom-0.7.5.tgz, xmldom-0.4.0.tgz #88
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.
CVE-2022-39353 - Critical Severity Vulnerability
xmldom-0.7.5.tgz
A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.
Library home page: https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.7.5.tgz
Path to dependency file: /azure-function/node/package.json
Path to vulnerable library: /azure-function/node/node_modules/@xmldom/xmldom/package.json
Dependency Hierarchy: - mssql-6.3.1.tgz (Root Library) - tedious-6.7.1.tgz - ms-rest-nodeauth-3.1.0.tgz - adal-node-0.2.3.tgz - :x: **xmldom-0.7.5.tgz** (Vulnerable Library)
xmldom-0.4.0.tgz
A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.
Library home page: https://registry.npmjs.org/xmldom/-/xmldom-0.4.0.tgz
Path to dependency file: /azure-static-web-app/api/node/package.json
Path to vulnerable library: /azure-static-web-app/api/node/node_modules/xmldom/package.json
Dependency Hierarchy: - mssql-6.3.1.tgz (Root Library) - tedious-6.7.0.tgz - ms-rest-nodeauth-2.0.2.tgz - adal-node-0.1.28.tgz - :x: **xmldom-0.4.0.tgz** (Vulnerable Library)
Found in base branch: main
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.
Publish Date: 2022-11-02
URL: CVE-2022-39353
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883
Release Date: 2022-11-02
Fix Resolution (@xmldom/xmldom): 0.7.7
Direct dependency fix Resolution (mssql): 6.3.2
Fix Resolution (xmldom): 0.7.7
Direct dependency fix Resolution (mssql): 6.3.2
Step up your Open Source Security Game with Mend here