Vulnerability-Lookup

CVE-2022-39353 (GCVE-0-2022-39353)

Vulnerability from cvelistv5 – Published: 2022-11-02 00:00 – Updated: 2025-04-22 17:16

Title

xmldom allows multiple root nodes in a DOM

Summary

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.

Severity ?

9.4 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

CWE

CWE-20 - Improper Input Validation
CWE-1288 - Improper Validation of Consistency within Input

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	xmldom	xmldom	Affected: <= 0.6.0 Affected: < 0.7.7 Affected: >= 0.8.0, < 0.8.4 Affected: >= 0.9.0-beta.1, < 0.9.0-beta.4

GSD-2022-39353

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-39353

Aliases

CVE-2022-39353

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-39353",
    "description": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@\u003e=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.",
    "id": "GSD-2022-39353"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-39353"
      ],
      "details": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@\u003e=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.",
      "id": "GSD-2022-39353",
      "modified": "2023-12-13T01:19:20.925534Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-39353",
        "STATE": "PUBLIC",
        "TITLE": "xmldom allows multiple root nodes in a DOM"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "xmldom",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c= 0.6.0"
                        },
                        {
                          "version_value": "\u003c 0.7.7"
                        },
                        {
                          "version_value": "\u003e= 0.8.0, \u003c 0.8.4"
                        },
                        {
                          "version_value": "\u003e= 0.9.0-beta.1, \u003c 0.9.0-beta.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "xmldom"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@\u003e=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.4,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-20: Improper Input Validation"
              }
            ]
          },
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-1288: Improper Validation of Consistency within Input"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883",
            "refsource": "CONFIRM",
            "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883"
          },
          {
            "name": "https://github.com/jindw/xmldom/issues/150",
            "refsource": "MISC",
            "url": "https://github.com/jindw/xmldom/issues/150"
          },
          {
            "name": "[debian-lts-announce] 20230101 [SECURITY] [DLA 3260-1] node-xmldom security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-crh6-fp67-6883",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.7.7||\u003e=0.8.0 \u003c0.8.4||=0.9.0",
          "affected_versions": "All versions before 0.7.7, all versions starting from 0.8.0 before 0.8.4, version 0.9.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-20",
            "CWE-937"
          ],
          "date": "2023-03-01",
          "description": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@\u003e=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.",
          "fixed_versions": [
            "0.7.7",
            "0.8.4"
          ],
          "identifier": "CVE-2022-39353",
          "identifiers": [
            "CVE-2022-39353",
            "GHSA-crh6-fp67-6883",
            "GMS-2022-6112"
          ],
          "not_impacted": "All versions starting from 0.7.7 before 0.8.0, all versions starting from 0.8.4 before 0.9.0, all versions after 0.9.0",
          "package_slug": "npm/@xmldom/xmldom",
          "pubdate": "2022-11-02",
          "solution": "Upgrade to versions 0.7.7, 0.8.4 or above.",
          "title": "Improper Input Validation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-39353",
            "https://github.com/jindw/xmldom/issues/150",
            "https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883",
            "https://github.com/xmldom/xmldom/releases/tag/0.7.7",
            "https://github.com/xmldom/xmldom/releases/tag/0.8.4",
            "https://github.com/xmldom/xmldom/releases/tag/0.9.0-beta.4",
            "https://github.com/advisories/GHSA-crh6-fp67-6883"
          ],
          "uuid": "4eded5e6-9003-4b73-a449-46915611bf09"
        },
        {
          "affected_range": "\u003c0",
          "affected_versions": "All versions before 0.7.7, all versions starting from 0.8.0 before 0.8.4, all versions starting from 0.9.0-beta.1 before 0.9.0-beta.4",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-11-01",
          "description": "### Impact\nxmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing.\nThis breaks the assumption that there is only a single root node in the tree, which led to https://nvd.nist.gov/vuln/detail/CVE-2022-39299 and is a potential issue for dependents.\n\n### Patches\nUpdate to `@xmldom/xmldom@~0.7.7`, `@xmldom/xmldom@~0.8.4` (dist-tag `latest`) or `@xmldom/xmldom@\u003e=0.9.0-beta.4` (dist-tag `next`).\n\n### Workarounds\nOne of the following approaches might help, depending on your use case:\n- Instead of searching for elements in the whole DOM, only search in the `documentElement`.\n- Reject a document with a document that has more then 1 `childNode`.\n\n### References\n- https://nvd.nist.gov/vuln/detail/CVE-2022-39299\n- https://github.com/jindw/xmldom/issues/150\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at security@xmldom.org\n",
          "fixed_versions": [
            "0.7.7",
            "0.8.4",
            "0.9.0-beta.4"
          ],
          "identifier": "GMS-2022-6112",
          "identifiers": [
            "GHSA-crh6-fp67-6883",
            "GMS-2022-6112",
            "CVE-2022-39353"
          ],
          "not_impacted": "All versions starting from 0.7.7 before 0.8.0, all versions starting from 0.8.4 before 0.9.0-beta.1, all versions starting from 0.9.0-beta.4",
          "package_slug": "npm/@xmldom/xmldom",
          "pubdate": "2022-11-01",
          "solution": "Upgrade to versions 0.7.7, 0.8.4, 0.9.0-beta.4 or above. *Note*: 0.9.0-beta.4 may be an unstable version. Use caution.",
          "title": "Duplicate of ./npm/@xmldom/xmldom/CVE-2022-39353.yml",
          "urls": [
            "https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883",
            "https://github.com/xmldom/xmldom/releases/tag/0.7.7",
            "https://github.com/xmldom/xmldom/releases/tag/0.8.4",
            "https://github.com/xmldom/xmldom/releases/tag/0.9.0-beta.4",
            "https://github.com/advisories/GHSA-crh6-fp67-6883"
          ],
          "uuid": "ec504658-1583-4721-b861-2fb17766b62f"
        },
        {
          "affected_range": "\u003c0.7.7||\u003e=0.8.0 \u003c0.8.4||=0.9.0",
          "affected_versions": "All versions before 0.7.7, all versions starting from 0.8.0 before 0.8.4, version 0.9.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-20",
            "CWE-937"
          ],
          "date": "2023-03-01",
          "description": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@\u003e=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.",
          "fixed_versions": [],
          "identifier": "CVE-2022-39353",
          "identifiers": [
            "CVE-2022-39353",
            "GHSA-crh6-fp67-6883",
            "GMS-2022-6132"
          ],
          "not_impacted": "",
          "package_slug": "npm/xmldom",
          "pubdate": "2022-11-02",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Improper Input Validation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-39353",
            "https://github.com/jindw/xmldom/issues/150",
            "https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883",
            "https://github.com/xmldom/xmldom/releases/tag/0.7.7",
            "https://github.com/xmldom/xmldom/releases/tag/0.8.4",
            "https://github.com/xmldom/xmldom/releases/tag/0.9.0-beta.4",
            "https://github.com/advisories/GHSA-crh6-fp67-6883"
          ],
          "uuid": "416e8df8-4360-4621-b800-f47e3dca7bb3"
        },
        {
          "affected_range": "\u003c0",
          "affected_versions": "All versions up to 0.6.0",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-11-01",
          "description": "### Impact\nxmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing.\nThis breaks the assumption that there is only a single root node in the tree, which led to https://nvd.nist.gov/vuln/detail/CVE-2022-39299 and is a potential issue for dependents.\n\n### Patches\nUpdate to `@xmldom/xmldom@~0.7.7`, `@xmldom/xmldom@~0.8.4` (dist-tag `latest`) or `@xmldom/xmldom@\u003e=0.9.0-beta.4` (dist-tag `next`).\n\n### Workarounds\nOne of the following approaches might help, depending on your use case:\n- Instead of searching for elements in the whole DOM, only search in the `documentElement`.\n- Reject a document with a document that has more then 1 `childNode`.\n\n### References\n- https://nvd.nist.gov/vuln/detail/CVE-2022-39299\n- https://github.com/jindw/xmldom/issues/150\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at security@xmldom.org\n",
          "fixed_versions": [],
          "identifier": "GMS-2022-6132",
          "identifiers": [
            "GHSA-crh6-fp67-6883",
            "GMS-2022-6132",
            "CVE-2022-39353"
          ],
          "not_impacted": "",
          "package_slug": "npm/xmldom",
          "pubdate": "2022-11-01",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Duplicate of ./npm/xmldom/CVE-2022-39353.yml",
          "urls": [
            "https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883",
            "https://github.com/xmldom/xmldom/releases/tag/0.7.7",
            "https://github.com/xmldom/xmldom/releases/tag/0.8.4",
            "https://github.com/xmldom/xmldom/releases/tag/0.9.0-beta.4",
            "https://github.com/advisories/GHSA-crh6-fp67-6883"
          ],
          "uuid": "c2d708fe-d1a0-4aef-b3a1-a63c421cd5f0"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta1:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.6.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.8.4",
                "versionStartIncluding": "0.8.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta2:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta3:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.7.7",
                "versionStartIncluding": "0.7.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-39353"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@\u003e=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                },
                {
                  "lang": "en",
                  "value": "CWE-1288"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/jindw/xmldom/issues/150",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Issue Tracking",
                "Third Party Advisory"
              ],
              "url": "https://github.com/jindw/xmldom/issues/150"
            },
            {
              "name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883"
            },
            {
              "name": "[debian-lts-announce] 20230101 [SECURITY] [DLA 3260-1] node-xmldom security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-03-01T14:03Z",
      "publishedDate": "2022-11-02T17:15Z"
    }
  }
}

GHSA-CRH6-FP67-6883

Vulnerability from github – Published: 2022-11-01 17:29 – Updated: 2022-11-04 20:44

Summary

xmldom allows multiple root nodes in a DOM

Details

Impact

xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to https://nvd.nist.gov/vuln/detail/CVE-2022-39299 and is a potential issue for dependents.

Patches

Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next).

Workarounds

One of the following approaches might help, depending on your use case: - Instead of searching for elements in the whole DOM, only search in the documentElement. - Reject a document with a document that has more then 1 childNode.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-39299
https://github.com/jindw/xmldom/issues/150

For more information

If you have any questions or comments about this advisory: * Email us at security@xmldom.org

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "xmldom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@xmldom/xmldom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@xmldom/xmldom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "0.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@xmldom/xmldom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.9.0-beta.1"
            },
            {
              "fixed": "0.9.0-beta.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39353"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1288",
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-01T17:29:11Z",
    "nvd_published_at": "2022-11-02T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nxmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing.\nThis breaks the assumption that there is only a single root node in the tree, which led to https://nvd.nist.gov/vuln/detail/CVE-2022-39299 and is a potential issue for dependents.\n\n### Patches\nUpdate to `@xmldom/xmldom@~0.7.7`, `@xmldom/xmldom@~0.8.4` (dist-tag `latest`) or `@xmldom/xmldom@\u003e=0.9.0-beta.4` (dist-tag `next`).\n\n### Workarounds\nOne of the following approaches might help, depending on your use case:\n- Instead of searching for elements in the whole DOM, only search in the `documentElement`.\n- Reject a document with a document that has more then 1 `childNode`.\n\n### References\n- https://nvd.nist.gov/vuln/detail/CVE-2022-39299\n- https://github.com/jindw/xmldom/issues/150\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at security@xmldom.org\n",
  "id": "GHSA-crh6-fp67-6883",
  "modified": "2022-11-04T20:44:46Z",
  "published": "2022-11-01T17:29:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39353"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jindw/xmldom/issues/150"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/commit/52a708360c35aa160fcca8621720d71fd0f95f1a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/commit/7ff7c10ab2961703ac1752e95b4ff60ee4ee6643"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/commit/c02f786216bed70825f9a351c65e61500f51e931"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xmldom/xmldom"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/releases/tag/0.7.7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/releases/tag/0.8.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/releases/tag/0.9.0-beta.4"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "xmldom allows multiple root nodes in a DOM"
}

CVE-2022-39353

Vulnerability from fstec - Published: 30.10.2022

Title

Уязвимость модуля определения способа доступа к документам XML и управления ими XMLDOM, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю получить несанкционированный доступ к приложению

Description

Уязвимость модуля определения способа доступа к документам XML и управления ими XMLDOM связана с недостаточной проверкой вводимых данных. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, получить несанкционированный доступ к приложению путем передачи специально созданных данных

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vendor

Сообщество свободного программного обеспечения

Software Name

XMLDOM

Software Version

до 0.7.7 (XMLDOM), от 0.8.0 до 0.8.4 (XMLDOM), от 0.9.0-beta.1 до 0.9.0-beta.4 (XMLDOM)

Possible Mitigations

Использование рекомендаций: https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883

Reference

https://www.cybersecurity-help.cz/vdb/SB2022103127 https://github.com/jindw/xmldom/issues/150 https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883 https://access.redhat.com/security/cve/cve-2022-39353

CWE

CWE-20, CWE-1288

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u0434\u043e 0.7.7 (XMLDOM), \u043e\u0442 0.8.0 \u0434\u043e 0.8.4 (XMLDOM), \u043e\u0442 0.9.0-beta.1 \u0434\u043e 0.9.0-beta.4 (XMLDOM)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "30.10.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "05.12.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "05.12.2022",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-07108",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-39353",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "XMLDOM",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0434\u0443\u043b\u044f \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u044f \u0441\u043f\u043e\u0441\u043e\u0431\u0430 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442\u0430\u043c XML \u0438 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u043c\u0438 XMLDOM, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044e",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-20), \u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0441\u043e\u0433\u043b\u0430\u0441\u043e\u0432\u0430\u043d\u043d\u043e\u0441\u0442\u0438 \u0432\u043e \u0432\u0445\u043e\u0434\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-1288)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0434\u0443\u043b\u044f \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u044f \u0441\u043f\u043e\u0441\u043e\u0431\u0430 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442\u0430\u043c XML \u0438 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u043c\u0438 XMLDOM \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044e \u043f\u0443\u0442\u0435\u043c \u043f\u0435\u0440\u0435\u0434\u0430\u0447\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://www.cybersecurity-help.cz/vdb/SB2022103127\nhttps://github.com/jindw/xmldom/issues/150\nhttps://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883\nhttps://access.redhat.com/security/cve/cve-2022-39353",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-20, CWE-1288",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,8)"
}

FKIE_CVE-2022-39353

Vulnerability from fkie_nvd - Published: 2022-11-02 17:15 - Updated: 2024-11-21 07:18

Severity ?

9.4 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/jindw/xmldom/issues/150	Exploit, Issue Tracking, Third Party Advisory
security-advisories@github.com	https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883	Third Party Advisory
security-advisories@github.com	https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/jindw/xmldom/issues/150	Exploit, Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html	Mailing List, Third Party Advisory

Impacted products

Vendor	Product	Version
xmldom_project	xmldom	*
xmldom_project	xmldom	*
xmldom_project	xmldom	*
xmldom_project	xmldom	0.9.0
xmldom_project	xmldom	0.9.0
xmldom_project	xmldom	0.9.0
debian	debian_linux	10.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "AE53B86A-F7D4-47C7-ADB7-E88EAD0C2044",
              "versionEndExcluding": "0.6.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "96FDE7F1-77D9-402A-B5CB-DE6071DE4813",
              "versionEndExcluding": "0.7.7",
              "versionStartIncluding": "0.7.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "C525AC8C-417F-4CF1-B26C-DE55EF338372",
              "versionEndExcluding": "0.8.4",
              "versionStartIncluding": "0.8.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta1:*:*:*:node.js:*:*",
              "matchCriteriaId": "884B240D-F39F-4283-825B-DCACEACCF56F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta2:*:*:*:node.js:*:*",
              "matchCriteriaId": "239CB56A-A53C-4FF3-ADAD-A9E0435582D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta3:*:*:*:node.js:*:*",
              "matchCriteriaId": "85330F73-D8B8-44C3-89F4-31051F0CCE46",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@\u003e=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`."
    },
    {
      "lang": "es",
      "value": "xmldom es un m\u00f3dulo `DOMParser` y `XMLSerializer` basado en el est\u00e1ndar W3C de JavaScript puro (XML DOM Level 2 Core). xmldom analiza XML que no est\u00e1 bien formado porque contiene m\u00faltiples elementos de nivel superior y agrega todos los nodos ra\u00edz a la colecci\u00f3n `childNodes` del `Documento`, sin informar ning\u00fan error ni arrojar. Esto rompe la suposici\u00f3n de que solo hay un nodo ra\u00edz en el \u00e1rbol, lo que llev\u00f3 a la emisi\u00f3n de CVE-2022-39299, ya que es un problema potencial para los dependientes. Actualice a @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag m\u00e1s reciente) o @xmldom/xmldom@\u0026gt;=0.9.0-beta.4 (dist-tag siguiente). Como workaround, utilice uno de los siguientes enfoques seg\u00fan su caso de uso: en lugar de buscar elementos en todo el DOM, solo busque en `documentElement` o rechace un documento con un documento que tenga m\u00e1s de 1 `childNode`."
    }
  ],
  "id": "CVE-2022-39353",
  "lastModified": "2024-11-21T07:18:06.040",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.4,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-11-02T17:15:17.387",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://github.com/jindw/xmldom/issues/150"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://github.com/jindw/xmldom/issues/150"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        },
        {
          "lang": "en",
          "value": "CWE-1288"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-39353 (GCVE-0-2022-39353)

GSD-2022-39353

GHSA-CRH6-FP67-6883

Impact

Patches

Workarounds

References

For more information

CVE-2022-39353

FKIE_CVE-2022-39353

Tags

Sightings

Nomenclature