SB2023061641 - Ubuntu update for node-xmldom 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023061641

SB2023061641 - Ubuntu update for node-xmldom

Published: June 16, 2023

Security Bulletin ID SB2023061641
Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Improper Interaction Between Multiple Correctly-Behaving Entities (CVE-ID: CVE-2021-21366)

The vulnerability allows a remote attacker to gain access to the system.

The vulnerability exists due to xmldom do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. A remote attacker can send a specially crafted file and make syntactic changes during XML processing in some downstream applications.


2) Prototype pollution (CVE-ID: CVE-2022-37616)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists in the function copy in dom.js in the xmldom package for Node.js via the p variable. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.


3) Input validation error (CVE-ID: CVE-2022-39353)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient validation of user-supplied input within DOM nodes when they are not well-formed. A remote attacker can pass specially crafted input to the application and gain unauthorized access to the application.


Remediation

Install update from vendor's website.

References