Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Affecting grafana-prometheus package, versions *
Threat Intelligence
EPSS
0.97% (84th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CENTOS8-GRAFANAPROMETHEUS-3150548
- published 29 Nov 2022
- disclosed 14 Oct 2022
Introduced: 14 Oct 2022
CVE-2022-37601 Open this link in a new tabHow to fix?
There is no fixed version for Centos:8
grafana-prometheus
.
NVD Description
Note: Versions mentioned in the description apply only to the upstream grafana-prometheus
package and not the grafana-prometheus
package as distributed by Centos
.
See How to fix?
for Centos:8
relevant fixed versions and status.
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
References
- https://access.redhat.com/security/cve/CVE-2022-37601
- http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf
- https://dl.acm.org/doi/abs/10.1145/3488932.3497769
- https://dl.acm.org/doi/pdf/10.1145/3488932.3497769
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11
- https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47
- https://github.com/webpack/loader-utils/issues/212
- https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884
- https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826
- https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html
CVSS Scores
version 3.1