CVE-2023-0842
First published: Wed Apr 05 2023(Updated: )
xml2js could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Credit: help@fluidattacks.com help@fluidattacks.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Watson Knowledge Catalog on-prem | <=4.x | |
| npm/xml2js | <0.5.0 | 0.5.0 |
| Xml2js Project Xml2js | =0.4.23 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/252153
- https://www.ibm.com/support/pages/node/7009747 (Advisory)
- https://fluidattacks.com/advisories/myers/
- https://github.com/Leonidas-from-XIV/node-xml2js/
- https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-0842
- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663
- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5
- https://fluidattacks.com/advisories/myers
- https://github.com/Leonidas-from-XIV/node-xml2js
- https://github.com/advisories/GHSA-776f-qx25-q3cc (Advisory)
Frequently Asked Questions
What is the severity of CVE-2023-0842?
The severity of CVE-2023-0842 is high, with a score of 7.3.
How does CVE-2023-0842 allow an attacker to edit or add new properties to an object?
CVE-2023-0842 allows an attacker to edit or add new properties to an object through prototype pollution.
How can an attacker exploit CVE-2023-0842?
An attacker can exploit CVE-2023-0842 by sending a specially-crafted request.
What software versions are affected by CVE-2023-0842?
Version 0.4.23 of xml2js and versions up to and including 4.x of IBM Watson Knowledge Catalog on-prem are affected by CVE-2023-0842.
Are there any references or additional resources for CVE-2023-0842?
Yes, you can find additional information about CVE-2023-0842 at the following links: [1] https://fluidattacks.com/advisories/myers/ [2] https://github.com/Leonidas-from-XIV/node-xml2js/ [3] https://exchange.xforce.ibmcloud.com/vulnerabilities/252153
- agent/type
- agent/weakness
- agent/first-publish-date
- agent/author
- agent/severity
- agent/references
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-776f-qx25-q3cc
- alias/CVE-2023-0842
- agent/software-canonical-lookup
- agent/event
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- collector/ibm-support
- source/IBM
- package-manager/npm
- vendor/xml2js project
- canonical/xml2js project xml2js
- version/xml2js project xml2js/0.4.23
- vendor/ibm
- canonical/ibm watson knowledge catalog on-prem
- version/ibm watson knowledge catalog on-prem/4.x