[SECURITY] [DLA 3154-1] node-xmldom security update

2022-10-1815:06:03

lists.debian.org

debian lts advisory

prototype pollution

upgrade package

security tracker

debian 10 buster

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.003

Percentile

69.2%

JSON

Debian LTS Advisory DLA-3154-1 [email protected]
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
October 18, 2022 https://wiki.debian.org/LTS

Package : node-xmldom
Version : 0.1.27+ds-1+deb10u1
CVE ID : CVE-2022-37616
Debian Bug : 1021618

It was found that the Node XML DOM library was vulnerable to prototype
pollution.

For Debian 10 buster, this problem has been fixed in version
0.1.27+ds-1+deb10u1.

We recommend that you upgrade your node-xmldom packages.

For the detailed security status of node-xmldom please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-xmldom

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian10allnode-xmldom< 0.1.27+ds-1+deb10u1node-xmldom_0.1.27+ds-1+deb10u1_all.deb
Debian11allnode-xmldom< 0.5.0-1+deb11u1node-xmldom_0.5.0-1+deb11u1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	all	node-xmldom	< 0.1.27+ds-1+deb10u1	node-xmldom_0.1.27+ds-1+deb10u1_all.deb
Debian	11	all	node-xmldom	< 0.5.0-1+deb11u1	node-xmldom_0.5.0-1+deb11u1_all.deb