CVE-2022-37599 - security vulnerability across all loader-utils

[apatel0708]

No description provided.

[alexander-akait]

Please update to v3, v2 is deprecated, check your deps using npm ls loader-utils

[apatel0708]

3.2.0 is the version being used.

[alexander-akait]

Can you provide message output from npm/yarn/etc?

[apatel0708]

npm verb stack Error: 403 -------------------->>> REQUESTED ITEM IS QUARANTINED -------------------->>> FOR DETAILS SEE ------>>> <NEXUS_IQ>/ui/links/repositories/quarantinedComponent/YmZlYzg1Mzg0ZTYyNDk0MGEzZjUyZjllOTE4NmM1NDk <<<------ - GET <NEXUS_URL>/npm-group/loader-utils/-/loader-utils-3.2.0.tgz

[apatel0708]

CVE-2022-37599
Issue
CVE-2022-37599
Severity
Sonatype CVSS 37.5
CVE CVSS 2.00.0
Weakness
Sonatype CWE1333
Source
National Vulnerability Database
Categories
Data
Description from CVE
loader-utils - REDOS

Explanation
This issue has undergone the Sonatype Fast-Track process. For more information, please see the Sonatype Knowledge Base Guide.

Version Affected
[0.1.0,3.2.0]
Root Cause
loader-utils-3.2.0.tgz( , )
Advisories
Projecthttps://github.com//issues/211
CVSS Details
Sonatype CVSS 37.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

[alexander-akait]

Please run npm ls loader-utils

[apatel0708]

``+-- @angular-devkit/build-angular@12.1.4
| +-- @jsdevtools/coverage-istanbul-loader@3.0.5
| | -- loader-utils@2.0.2 | +-- babel-loader@8.2.2 | | -- loader-utils@1.4.0
| +-- css-loader@5.2.6
| | `-- loader-utils@2.0.2
| +-- loader-utils@2.0.0
| +-- mini-css-extract-plugin@1.6.2
| | `-- loader-utils@2.0.2
| +-- raw-loader@4.0.2
| | `-- loader-utils@2.0.2
| +-- resolve-url-loader@4.0.0
| | +-- adjust-sourcemap-loader@4.0.0
| | | `-- loader-utils@ invalid: "^2.0.0" from node_modules/adjust-sourcemap-loader
| | `-- loader-utils@ invalid: "^2.0.0" from node_modules/resolve-url-loader
| `-- style-loader@2.0.0
| `-- loader-utils@2.0.2
`-- loader-utils@3.2.0

We override loader-utils with the latest which is 3.2.0. it still has this CVE

[alexander-akait]

As you can see you still use v2.0.0, also new version of css-loader/mini-css-extract-plugin/style-loader and etc doesn't have loader-utils in deps

We override loader-utils with the latest which is 3.2.0. it still has this CVE

It is not safe

Also I can't get ability to see CVE-2022-37599, I don't see any report and information. Looks like you use personal tool for security. I can't fix something without information

[wrslatz]

https://nvd.nist.gov/vuln/detail/CVE-2022-37599 is a public link to the finding, though it to be void of any useful information unfortunately 😞

[alexander-akait]

@wrslatz yeah, we need example how to reproduce it, because I can't undestand there is the problem

[alexander-akait]

If somebody have any infromation feel free to send a PR with fix, I will glad to review

[lebbe]

I get a warning for loader-utils@3.2.0 as well from Sonatype iq server. But the security vulnerabilities it mentions in the description, is regarding to version 2.0.0:

Prototype pollution vulnerability in function parseQuery

(parseQuery doesn't exist in 3.2.0, so this is weird indeed!)

So there must be some fault in the systems reporting security issues. So for everyone coming here after investigating security audit reports: The three vulnerabilities mentioned about loader-utils 3.0.2 are most likely false positives due to an error in the robots reporting about security issues...

[alexander-akait]

I think so, because I can't find any related information about this