UBUNTU-CVE-2024-47068
See a problem?- Import Source
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-47068
- Related
- Published
- 2024-09-23T16:15:00Z
- Modified
- 2024-11-06T04:31:58Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from
import.meta(e.g.,import.meta.url) incjs/umd/iifeformat. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., animgtag with an unsanitizednameattribute) are present. Versions 2.79.2, 3.29.5, and 4.22.4 contain a patch for the vulnerability. - References
-
- https://ubuntu.com/security/CVE-2024-47068
- https://www.cve.org/CVERecord?id=CVE-2024-47068
- https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm
- https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4
- https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541
- https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162
- https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185
Affected packages
Ubuntu:20.04:LTS / node-rollup
Package
- Name
- node-rollup
- Purl
- pkg:deb/ubuntu/node-rollup?arch=src?distro=focal
Ubuntu:22.04:LTS / node-rollup
Package
- Name
- node-rollup
- Purl
- pkg:deb/ubuntu/node-rollup?arch=src?distro=jammy
Ubuntu:24.10 / node-rollup
Package
- Name
- node-rollup
- Purl
- pkg:deb/ubuntu/node-rollup?arch=src?distro=oracular