Back

CVE-2024-47068

Sept. 23, 2024, 4:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Rollup

  • before 3.29.5
  • before 4.22.4

Source

security-advisories@github.com

Tags

security-advisories@github.com
CWE-79
2024-09-23
CVE-2024-47068

CVE-2024-47068 details

Published : Sept. 23, 2024, 4:15 p.m.
Last Modified : Sept. 23, 2024, 4:15 p.m.

Description

Rollup is a module bundler for JavaScript. Versions prior to 3.29.5 and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 3.29.5 and 4.22.4 contain a patch for the vulnerability.

CVSS Score

1 2 3 4 5 6.1 7 8 9 10

Weakness

Weakness Name Description
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

Base Score

6.1

Exploitability Score

2.8

Impact Score

2.7

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

URL Source
https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162 security-advisories@github.com
https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185 security-advisories@github.com
https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4 security-advisories@github.com
https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541 security-advisories@github.com
https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.