-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency webpack to v5.94.0 [security] #1285
Open
renovate
wants to merge
1
commit into
master
Choose a base branch
from
renovate/npm-webpack-vulnerability
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #1285 +/- ##
=======================================
Coverage 85.72% 85.72%
=======================================
Files 609 609
Lines 13363 13363
Branches 2812 2809 -3
=======================================
Hits 11455 11455
Misses 1838 1838
Partials 70 70 ☔ View full report in Codecov by Sentry. |
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
September 3, 2024 13:27
e63da5d
to
231b64a
Compare
renovate
bot
changed the title
chore(deps): update dependency webpack to v5.94.0 [security]
chore(deps): update dependency webpack to v5.94.0 [security] - autoclosed
Sep 3, 2024
renovate
bot
changed the title
chore(deps): update dependency webpack to v5.94.0 [security] - autoclosed
chore(deps): update dependency webpack to v5.94.0 [security]
Sep 4, 2024
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
6 times, most recently
from
September 11, 2024 11:44
104cdce
to
106b6d9
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
12 times, most recently
from
September 19, 2024 18:26
0720b71
to
3e1f964
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
4 times, most recently
from
September 24, 2024 22:47
8a338f8
to
3a65820
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
6 times, most recently
from
October 18, 2024 19:35
a3704a8
to
c7fd154
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
2 times, most recently
from
October 23, 2024 10:29
a8e632d
to
bad8185
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
October 30, 2024 14:40
bad8185
to
27d24b2
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
5 times, most recently
from
November 13, 2024 13:27
89fd845
to
7cb9a4b
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
5 times, most recently
from
November 19, 2024 14:59
e7b434c
to
dd61805
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
4 times, most recently
from
November 26, 2024 16:19
ddb004a
to
4b2b165
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
5 times, most recently
from
December 4, 2024 21:41
e7c17c8
to
d1c5a32
Compare
renovate
bot
force-pushed
the
renovate/npm-webpack-vulnerability
branch
from
December 5, 2024 18:32
d1c5a32
to
157cb35
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
None yet
0 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.93.0
->5.94.0
GitHub Vulnerability Alerts
CVE-2024-43788
Summary
We discovered a DOM Clobbering vulnerability in Webpack’s
AutoPublicPathRuntimeModule
. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., animg
tag with an unsanitizedname
attribute) are present.We found the real-world exploitation of this gadget in the Canvas LMS which allows XSS attack happens through an javascript code compiled by Webpack (the vulnerable part is from Webpack). We believe this is a severe issue. If Webpack’s code is not resilient to DOM Clobbering attacks, it could lead to significant security vulnerabilities in any web application using Webpack-compiled code.
Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/
Gadgets found in Webpack
We identified a DOM Clobbering vulnerability in Webpack’s
AutoPublicPathRuntimeModule
. When theoutput.publicPath
field in the configuration is not set or is set toauto
, the following code is generated in the bundle to dynamically resolve and load additional JavaScript files:However, this code is vulnerable to a DOM Clobbering attack. The lookup on the line with
document.currentScript
can be shadowed by an attacker, causing it to return an attacker-controlled HTML element instead of the current script element as intended. In such a scenario, thesrc
attribute of the attacker-controlled element will be used as thescriptUrl
and assigned to__webpack_require__.p
. If additional scripts are loaded from the server,__webpack_require__.p
will be used as the base URL, pointing to the attacker's domain. This could lead to arbitrary script loading from the attacker's server, resulting in severe security risks.PoC
Please note that we have identified a real-world exploitation of this vulnerability in the Canvas LMS. Once the issue has been patched, I am willing to share more details on the exploitation. For now, I’m providing a demo to illustrate the concept.
Consider a website developer with the following two scripts,
entry.js
andimport1.js
, that are compiled using Webpack:The webpack.config.js is set up as follows:
When the developer builds these scripts into a bundle and adds it to a webpage, the page could load the
import1.js
file from the attacker's domain,attacker.controlled.server
. The attacker only needs to insert animg
tag with thename
attribute set tocurrentScript
. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.Impact
This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes.
Patch
A possible patch to this vulnerability could refer to the Google Closure project which makes itself resistant to DOM Clobbering attack: https://github.com/google/closure-library/blob/b312823ec5f84239ff1db7526f4a75cba0420a33/closure/goog/base.js#L174
Please note that if we do not receive a response from the development team within three months, we will disclose this vulnerability to the CVE agent.
Release Notes
webpack/webpack (webpack)
v5.94.0
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.