Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE–2022–29078 #23

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix CVE–2022–29078 #23

wants to merge 1 commit into from

Conversation

debricked[bot]
Copy link

@debricked debricked bot commented May 13, 2022

CVE–2022–29078

Vulnerable dependency:     ejs (npm)    2.5.7

Vulnerability details

Description

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

NVD

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

GitHub

Template injection in ejs

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

CVSS details - 9.8

 

CVSS3 metrics
Attack Vector Network
Attack Complexity Low
Privileges Required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
References

    NVD - CVE-2022-29078
    Template injection in ejs · CVE-2022-29078 · GitHub Advisory Database · GitHub
    EJS, Server side template injection RCE (CVE-2022-29078) - writeup | ~#whoami
    Releases · mde/ejs · GitHub
    Sanitize option names. · mde/ejs@15ee698 · GitHub
    ejs/ejs.js at 80bf3d7dcc20dffa38686a58b4e0ba70d5cac8a1 · mde/ejs · GitHub
    Release v3.1.7 · mde/ejs · GitHub
    ejs/ejs.js at 80bf3d7dcc20dffa38686a58b4e0ba70d5cac8a1 · mde/ejs · GitHub
    GitHub - mde/ejs: Embedded JavaScript templates -- http://ejs.co
    ejs/ejs.js at 80bf3d7dcc20dffa38686a58b4e0ba70d5cac8a1 · mde/ejs · GitHub
    ejs/utils.js at 80bf3d7dcc20dffa38686a58b4e0ba70d5cac8a1 · mde/ejs · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE

 

@debricked debricked bot force-pushed the debricked-fix-CVE_2022_29078-e6b6c01af24afd80 branch from 561b99c to e3c784d Compare May 14, 2022 11:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants