Bug 1404187 (CVE-2017-1000188)

Summary: CVE-2017-1000188 nodejs-ejs: Cross-site scripting via ejs.renderFile()
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: avibelli, gsterlin, jbalunas, jshepherd, rrajasek, tchollingsworth, tkirby
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-ejs 2.5.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:04:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1404189, 1404190    
Bug Blocks: 1404191    

Description Adam Mariš 2016-12-13 09:46:33 UTC 
A cross-site scripting vulnerability was found in nodejs-ejs < 2.5.5 that allows the attacker under certain conditions control and override the filename option causing it to render the value as is, without escaping it.

Upstream patch:

https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f

External Reference:

https://snyk.io/vuln/npm:ejs:20161130
Comment 1 Adam Mariš 2016-12-13 09:54:27 UTC 
Created nodejs-ejs tracking bugs for this issue:

Affects: fedora-all [bug 1404189]
Affects: epel-all [bug 1404190]