Bug 2078757 (CVE-2022-29078)

Summary: CVE-2022-29078 ejs: server-side template injection in outputFunctionName
Product: [Other] Security Response Reporter: Vipul Nair <vinair>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, bdettelb, cfeist, chazlett, cluster-maint, dwhatley, dymurray, eric.wittmann, ggaughan, go-sig, gparvin, ibolton, idevat, janstey, jmatthew, jmontleo, jnethert, jochrist, jross, jschatte, jwendell, jwon, kmalyjur, lmohanty, mlisik, mpospisi, mwringe, njean, omular, pahickey, pantinor, pjindal, ploffay, pvalena, rareddy, rcernich, rgodfrey, ruby-packagers-sig, scorneli, slucidi, sseago, stcannon, strzibny, thrcka, tojeline, vondruch, zebob.m
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ejs 3.1.7 Doc Type: If docs needed, set a value
Doc Text:
A Command injection attack was found in ejs (Embedded JavaScript templates) for Node.js, which allows an attacker to execute server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option and overwrites the outputFunctionName option with an arbitrary OS command executed upon template compilation.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2078760, 2078761, 2078762, 2078763, 2078788, 2079022, 2079023, 2079024, 2079025, 2079026, 2079027, 2079028, 2079145, 2079146, 2079147, 2079148, 2079149    
Bug Blocks: 2078764    

Description Vipul Nair 2022-04-26 07:11:45 UTC 
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

https://eslam.io/posts/ejs-server-side-template-injection-rce/
https://github.com/mde/ejs/releases
Comment 1 Vipul Nair 2022-04-26 07:15:08 UTC 
Created golang-github-hashicorp-consul-api tracking bugs for this issue:

Affects: fedora-all [bug 2078761]


Created golang-github-hashicorp-consul-sdk tracking bugs for this issue:

Affects: fedora-all [bug 2078762]


Created golang-vitess tracking bugs for this issue:

Affects: fedora-all [bug 2078763]


Created vagrant tracking bugs for this issue:

Affects: fedora-all [bug 2078760]