CVE-2022-37603
First published: Thu Oct 06 2022(Updated: )
A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el7 | 0:18.0.6-1.redhat_00001.1.el7 |
| redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el8 | 0:18.0.6-1.redhat_00001.1.el8 |
| redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el9 | 0:18.0.6-1.redhat_00001.1.el9 |
| npm/loader-utils | >=3.0.0<3.2.1 | 3.2.1 |
| npm/loader-utils | >=2.0.0<2.0.4 | 2.0.4 |
| npm/loader-utils | >=1.0.0<1.4.2 | 1.4.2 |
| Webpack | <1.4.2 | |
| Webpack | >=2.0.0<2.0.4 | |
| Webpack | >=3.0.0<3.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-37603
- https://github.com/webpack/loader-utils/issues/213
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38
- https://github.com/webpack/loader-utils/issues/216
- https://github.com/webpack/loader-utils/commit/17cbf8fa8989c1cb45bdd2997aa524729475f1fa
- https://github.com/webpack/loader-utils/commit/ac09944dfacd7c4497ef692894b09e63e09a5eeb
- https://github.com/webpack/loader-utils/commit/d2d752d59629daee38f34b24307221349c490eb1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/
- https://github.com/advisories/GHSA-3rfm-jhwj-7488 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/
- https://learn.snyk.io/lessons/prototype-pollution/javascript/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2140598
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2140606
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2140607
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2140608
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2140609
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2140610
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2140611
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2140605
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2140612
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2140613
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2140614
- https://access.redhat.com/errata/RHSA-2022:8781
- https://access.redhat.com/errata/RHSA-2023:0471
- https://access.redhat.com/security/cve/cve-2022-37603
- https://access.redhat.com/errata/RHSA-2023:0713
- https://access.redhat.com/errata/RHSA-2023:0934
- https://access.redhat.com/errata/RHSA-2023:1043
- https://access.redhat.com/errata/RHSA-2023:1044
- https://access.redhat.com/errata/RHSA-2023:1045
- https://access.redhat.com/errata/RHSA-2023:1047
- https://access.redhat.com/errata/RHSA-2023:1049
- https://access.redhat.com/errata/RHSA-2023:1428
- https://access.redhat.com/errata/RHSA-2023:3374
- https://bugzilla.redhat.com/show_bug.cgi?id=2140597
- https://www.cve.org/CVERecord?id=CVE-2022-37603 https://nvd.nist.gov/vuln/detail/CVE-2022-37603
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-37603?
CVE-2022-37603 is a Regular expression denial of service (ReDoS) vulnerability in webpack loader-utils.
How does CVE-2022-37603 affect the software?
CVE-2022-37603 affects the loader-utils package in webpack with versions between 1.0.0 and 3.2.1.
What is the severity of CVE-2022-37603?
CVE-2022-37603 has a severity rating of 7.5 (High).
How can I fix CVE-2022-37603?
To fix CVE-2022-37603, update the loader-utils package to version 3.2.1 or later.
Where can I find more information about CVE-2022-37603?
You can find more information about CVE-2022-37603 at the following references: - [CVE-2022-37603 on CVE.org](https://www.cve.org/CVERecord?id=CVE-2022-37603) - [CVE-2022-37603 on NIST](https://nvd.nist.gov/vuln/detail/CVE-2022-37603) - [Bugzilla Entry](https://bugzilla.redhat.com/show_bug.cgi?id=2140597) - [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2023:0471)
- collector/redhat-cve
- collector/github-advisory-latest
- alias/GHSA-3rfm-jhwj-7488
- alias/CVE-2022-37603
- collector/github-advisory
- agent/type
- agent/author
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/references
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- package-manager/npm
- vendor/webpack.js
- canonical/webpack
- version/webpack/2.0.0
- version/webpack/3.0.0