| Name | CVE-2023-0842 |
| Description | xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3760-1 |
| Debian Bugs | 1034148 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| node-xml2js (PTS) | bullseye | 0.2.8-1.1+deb11u1 | fixed |
| bookworm | 0.4.23+~cs15.4.0+dfsg-8 | fixed | |
| sid, trixie | 0.6.2+~cs15.1.1-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| node-xml2js | source | buster | 0.2.8-1.1+deb11u1~deb10u1 | DLA-3760-1 | ||
| node-xml2js | source | bullseye | 0.2.8-1.1+deb11u1 | |||
| node-xml2js | source | (unstable) | 0.4.23+~cs15.4.0+dfsg-7 | 1034148 |
https://fluidattacks.com/advisories/myers/
https://github.com/Leonidas-from-XIV/node-xml2js/issues/663
https://github.com/Leonidas-from-XIV/node-xml2js/pull/603
https://github.com/Leonidas-from-XIV/node-xml2js/commit/581b19a62d88f8a3c068b5a45f4542c2d6a495a5