UBUNTU-CVE-2024-47068

Source
https://ubuntu.com/security/CVE-2024-47068
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-47068.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-47068
Related
Published
2024-09-23T16:15:00Z
Modified
2024-11-06T04:31:58Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from import.meta (e.g., import.meta.url) in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. Versions 2.79.2, 3.29.5, and 4.22.4 contain a patch for the vulnerability.

References

Affected packages

Ubuntu:20.04:LTS / node-rollup

Package

Name
node-rollup
Purl
pkg:deb/ubuntu/node-rollup?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.50.0-6build3
0.68.2-2

1.*

1.12.0-2build2
1.12.0-2build3

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / node-rollup

Package

Name
node-rollup
Purl
pkg:deb/ubuntu/node-rollup?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.38.4-1
2.42.1-2
2.61.1-5

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / node-rollup

Package

Name
node-rollup
Purl
pkg:deb/ubuntu/node-rollup?arch=src?distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.29.4-3

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / node-rollup

Package

Name
node-rollup
Purl
pkg:deb/ubuntu/node-rollup?arch=src?distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.28.0-2
3.29.4-2
3.29.4-3

Ecosystem specific

{
    "ubuntu_priority": "medium"
}