Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.
History

Tue, 10 Dec 2024 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhmt
CPEs cpe:/a:redhat:rhmt:1.8::el8
Vendors & Products Redhat rhmt

Tue, 26 Nov 2024 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat jboss Data Grid
CPEs cpe:/a:redhat:jboss_data_grid:8
Vendors & Products Redhat jboss Data Grid

Thu, 31 Oct 2024 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_data_foundation:4.17::el9

Tue, 22 Oct 2024 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat network Observ Optr
CPEs cpe:/a:redhat:network_observ_optr:1.7.0::el9
Vendors & Products Redhat network Observ Optr

Wed, 16 Oct 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Data Foundation
CPEs cpe:/a:redhat:openshift_data_foundation:4.16::el9
Vendors & Products Redhat openshift Data Foundation

Tue, 15 Oct 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Serverless
CPEs cpe:/a:redhat:openshift_serverless:1.34::el8
Vendors & Products Redhat openshift Serverless

Tue, 08 Oct 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat cryostat
Redhat service Mesh
CPEs cpe:/a:redhat:cryostat:3::el8
cpe:/a:redhat:service_mesh:2.4::el8
cpe:/a:redhat:service_mesh:2.5::el8
cpe:/a:redhat:service_mesh:2.6::el8
cpe:/a:redhat:service_mesh:2.6::el9
Vendors & Products Redhat
Redhat cryostat
Redhat service Mesh

Tue, 03 Sep 2024 15:00:00 +0000


Fri, 30 Aug 2024 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Webpack.js
Webpack.js webpack
CPEs cpe:2.3:a:webpack.js:webpack:*:*:*:*:*:node.js:*:*
Vendors & Products Webpack.js
Webpack.js webpack

Tue, 27 Aug 2024 21:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 27 Aug 2024 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Webpack
Webpack webpack
CPEs cpe:2.3:a:webpack:webpack:*:*:*:*:*:*:*:*
Vendors & Products Webpack
Webpack webpack
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 27 Aug 2024 17:15:00 +0000

Type Values Removed Values Added
Description Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.
Title DOM Clobbering Gadget found in Webpack's AutoPublicPathRuntimeModule that leads to Cross-site Scripting (XSS)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-08-27T17:07:16.285Z

Updated: 2024-09-03T14:51:39.140Z

Reserved: 2024-08-16T14:20:37.323Z

Link: CVE-2024-43788

cve-icon Vulnrichment

Updated: 2024-08-27T18:11:53.603Z

cve-icon NVD

Status : Modified

Published: 2024-08-27T17:15:07.967

Modified: 2024-09-03T15:15:15.937

Link: CVE-2024-43788

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-08-27T17:15:07Z

Links: CVE-2024-43788 - Bugzilla