| Vulnerability Name: | CVE-2023-28154 (CCN-249874) | ||||||||||||||||||
| Assigned: | 2022-12-05 | ||||||||||||||||||
| Published: | 2022-12-05 | ||||||||||||||||||
| Updated: | 2023-04-22 | ||||||||||||||||||
| Summary: | Webpack could allow a remote attacker to bypass security restrictions, caused by the mishandling of the magic comment feature by the ImportParserPlugin.js. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain access to the real global object. | ||||||||||||||||||
| CVSS v3 Severity: | 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
7.9 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)
7.9 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)
| ||||||||||||||||||
| CVSS v2 Severity: | 9.4 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:N)
| ||||||||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2023-28154 Source: XF Type: UNKNOWN webpack-cve202328154-sec-bypass(249874) Source: cve@mitre.org Type: Patch, Product cve@mitre.org Source: CCN Type: Webpack GIT Repository security: avoid cross-realm objects #16500 Source: cve@mitre.org Type: Patch cve@mitre.org Source: cve@mitre.org Type: UNKNOWN cve@mitre.org Source: cve@mitre.org Type: UNKNOWN cve@mitre.org Source: cve@mitre.org Type: UNKNOWN cve@mitre.org Source: CCN Type: SNYK-JS-WEBPACK-3358798 Sandbox Bypass Source: CCN Type: IBM Security Bulletin 6982851 (Cloud Pak for Integration) Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to Webpack (CVE-2023-28154) Source: CCN Type: IBM Security Bulletin 6986577 (Cloud Pak for Watson AIOps) Multiple Vulnerabilities in CloudPak for Watson AIOPs Source: CCN Type: IBM Security Bulletin 6989099 (Cloud Pak for Network Automation) IBM Cloud Pak for Network Automation 2.4.6 fixes multiple security vulnerabilities Source: CCN Type: IBM Security Bulletin 7000057 (Edge Application Manager) IBM Edge Application Manager has a vulnerability listed in CVE 2023-28154. IBM has addressed this vulnerability. Source: CCN Type: IBM Security Bulletin 7002503 (Cloud Pak for Security) IBM Cloud Pak for Security includes components with multiple known vulnerabilities | ||||||||||||||||||
| Vulnerable Configuration: | Configuration RedHat 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||
| Oval Definitions | |||||||||||||||||||
| |||||||||||||||||||
| BACK | |||||||||||||||||||