CVE-2023-0842

NameCVE-2023-0842
Descriptionxml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3760-1
Debian Bugs1034148

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-xml2js (PTS)buster0.2.8-1vulnerable
buster (security)0.2.8-1.1+deb11u1~deb10u1fixed
bullseye0.2.8-1.1+deb11u1fixed
bookworm0.4.23+~cs15.4.0+dfsg-8fixed
sid, trixie0.6.2+~cs15.1.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-xml2jssourcebuster0.2.8-1.1+deb11u1~deb10u1DLA-3760-1
node-xml2jssourcebullseye0.2.8-1.1+deb11u1
node-xml2jssource(unstable)0.4.23+~cs15.4.0+dfsg-71034148

Notes

https://fluidattacks.com/advisories/myers/
https://github.com/Leonidas-from-XIV/node-xml2js/issues/663
https://github.com/Leonidas-from-XIV/node-xml2js/pull/603
https://github.com/Leonidas-from-XIV/node-xml2js/commit/581b19a62d88f8a3c068b5a45f4542c2d6a495a5
Search for package or bug name: Reporting problems