CVE & CISA-KEV Catalog

CVE-2022-37616

CRITICALEPSS 72th pctl
9.8
CVSS v3
NVD

Description

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."

How to fix

Remediation Available
node-xmldomDebian
Fixed in:0.5.0-1+deb11u1CVE-2022-37616
Fixed in:0.8.3-1CVE-2022-37616
Fixed in:0.8.3-1CVE-2022-37616
Fixed in:0.8.3-1CVE-2022-37616
node-xmldomUbuntu
Fixed in:0.1.27+ds-1+deb10u2build0.20.04.1USN-6102-1
Fixed in:0.7.5-1ubuntu0.22.04.1USN-6102-1
Fixed in:0.7.5-1ubuntu0.22.10.1USN-6102-1

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploit Intelligence

1.54%probability of exploitation in 30 days
72ndpercentile

Elevated risk: more likely to be exploited than 72% of all known CVEs.

References

Related Vulnerabilities

Other CWE-1321 vulnerabilities, ordered by exploit likelihood. View all

CVESeverityCVSSEPSSExploitedFix
CVE-2019-0230Critical9.897%--
CVE-2019-11358Medium6.187%-Fix
CVE-2020-7774High7.369%-Fix
CVE-2022-24760Critical10.049%-Fix
CVE-2022-39396Critical9.839%-Fix
CVE-2022-2564Critical9.833%-Fix
Embed a live status badge for CVE-2022-37616
CVE-2022-37616 severity badge

Markdown

[![CVE-2022-37616](https://tridentstack.com/cve/badge/CVE-2022-37616.svg)](https://tridentstack.com/cve/CVE-2022-37616)

HTML

<a href="https://tridentstack.com/cve/CVE-2022-37616"><img src="https://tridentstack.com/cve/badge/CVE-2022-37616.svg" alt="CVE-2022-37616"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.