CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
A flaw was found in the Rollup module bundler for JavaScript. Certain versions are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from import.meta
such as import.meta.url
in the cjs
/umd
/iife
format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements are present, for example, an img
tag with an unsanitized name
attribute.
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
bugzilla.redhat.com/show_bug.cgi?id=2314249
github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162
github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185
github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4
github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541
github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm
nvd.nist.gov/vuln/detail/CVE-2024-47068
www.cve.org/CVERecord?id=CVE-2024-47068