Watemlifts / desktop

Simple collaboration from your desktop
https://desktop.github.com
MIT License
1 stars 0 forks source link

CVE-2022-39353 (Critical) detected in xmldom-0.1.27.tgz #258

Open mend-bolt-for-github[bot] opened 2 years ago

mend-bolt-for-github[bot] commented 2 years ago

CVE-2022-39353 - Critical Severity Vulnerability

Vulnerable Library - xmldom-0.1.27.tgz

A W3C Standard XML DOM(Level2 CORE) implementation and parser(DOMParser/XMLSerializer).

Library home page: https://registry.npmjs.org/xmldom/-/xmldom-0.1.27.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/xmldom/package.json

Dependency Hierarchy: - electron-builder-20.28.4.tgz (Root Library) - app-builder-lib-20.28.4.tgz - electron-osx-sign-0.4.10.tgz - plist-2.1.0.tgz - :x: **xmldom-0.1.27.tgz** (Vulnerable Library)

Found in HEAD commit: 3c70ff18bc4c76aff0a341a956ece6590d8f19e4

Found in base branch: development

Vulnerability Details

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.

Publish Date: 2022-11-02

URL: CVE-2022-39353

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883

Release Date: 2022-11-02

Fix Resolution: @xmldom/xmldom - 0.7.7,0.8.4


Step up your Open Source Security Game with Mend here