SB2023061641 - Ubuntu update for node-xmldom
Published: June 16, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Improper Interaction Between Multiple Correctly-Behaving Entities (CVE-ID: CVE-2021-21366)
CWE-ID: CWE-435 - Improper Interaction Between Multiple Correctly-Behaving Entities
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain access to the system.
The vulnerability exists due to xmldom do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. A remote attacker can send a specially crafted file and make syntactic changes during XML processing in some downstream applications.
2) Prototype pollution (CVE-ID: CVE-2022-37616)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists in the function copy in dom.js in the xmldom package for Node.js via the p variable. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
3) Input validation error (CVE-ID: CVE-2022-39353)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient validation of user-supplied input within DOM nodes when they are not well-formed. A remote attacker can pass specially crafted input to the application and gain unauthorized access to the application.
Remediation
Install update from vendor's website.