CVE-2022-37598

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-37598
Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/mishoo/UglifyJS/blob/352a944868b09c9ce3121a49d4a0bf0afe370a35/lib/ast.js#L46 Exploit Third Party Advisory
https://github.com/mishoo/UglifyJS/blob/352a944868b09c9ce3121a49d4a0bf0afe370a35/lib/ast.js#L79 Exploit Third Party Advisory
https://github.com/mishoo/UglifyJS/issues/5699 Issue Tracking Third Party Advisory
https://github.com/mishoo/UglifyJS/issues/5721#issuecomment-1292849604 Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:uglifyjs_project:uglifyjs:3.13.2:*:*:*:*:node.js:*:*
History

07 Nov 2023, 03:49

Type Values Removed Values Added
Summary ** DISPUTED ** Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report. Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.

02 Dec 2022, 23:00

Type Values Removed Values Added
References (MISC) https://github.com/mishoo/UglifyJS/issues/5721#issuecomment-1292849604 - (MISC) https://github.com/mishoo/UglifyJS/issues/5721#issuecomment-1292849604 - Third Party Advisory

25 Nov 2022, 05:15

Type Values Removed Values Added
References
  • (MISC) https://github.com/mishoo/UglifyJS/issues/5721#issuecomment-1292849604 -
Summary Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. ** DISPUTED ** Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.

21 Oct 2022, 16:09

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
References (MISC) https://github.com/mishoo/UglifyJS/blob/352a944868b09c9ce3121a49d4a0bf0afe370a35/lib/ast.js#L79 - (MISC) https://github.com/mishoo/UglifyJS/blob/352a944868b09c9ce3121a49d4a0bf0afe370a35/lib/ast.js#L79 - Exploit, Third Party Advisory
References (MISC) https://github.com/mishoo/UglifyJS/issues/5699 - (MISC) https://github.com/mishoo/UglifyJS/issues/5699 - Issue Tracking, Third Party Advisory
References (MISC) https://github.com/mishoo/UglifyJS/blob/352a944868b09c9ce3121a49d4a0bf0afe370a35/lib/ast.js#L46 - (MISC) https://github.com/mishoo/UglifyJS/blob/352a944868b09c9ce3121a49d4a0bf0afe370a35/lib/ast.js#L46 - Exploit, Third Party Advisory
CWE CWE-1321
First Time Uglifyjs Project
Uglifyjs Project uglifyjs
CPE cpe:2.3:a:uglifyjs_project:uglifyjs:3.13.2:*:*:*:*:node.js:*:*

20 Oct 2022, 11:15

Type Values Removed Values Added
New CVE
Information

Published : 2022-10-20 11:15

Updated : 2024-04-11 01:16

NVD link : CVE-2022-37598

Mitre link : CVE-2022-37598

CVE.ORG link : CVE-2022-37598

JSON object : View

Products Affected

uglifyjs_project

  • uglifyjs
CWE
CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')