| Name | CVE-2022-37598 |
| Description | ** DISPUTED ** Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| uglify-js (PTS) | buster | 3.4.9-5 | vulnerable |
| bullseye | 3.12.8-1 | vulnerable | |
| bookworm, sid | 3.17.4-2 | vulnerable | |
| uglifyjs (PTS) | buster | 2.8.29-6 | vulnerable |
| sid, bullseye | 2.8.29-8 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| uglify-js | source | (unstable) | (unfixed) | unimportant | ||
| uglifyjs | source | (unstable) | (unfixed) | unimportant |
https://github.com/mishoo/UglifyJS/issues/5699
Issue is not considered valid from upstream in
https://github.com/mishoo/UglifyJS/issues/5721#issuecomment-1292849604