Bug 2078757 (CVE-2022-29078) - CVE-2022-29078 ejs: server-side template injection in outputFunctionName
Summary: CVE-2022-29078 ejs: server-side template injection in outputFunctionName
Keywords:
Status: NEW
Alias: CVE-2022-29078
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2078760 2078761 2078762 2078763 2078788 2079022 2079023 2079024 2079025 2079026 2079027 2079028 2079145 2079146 2079147 2079148 2079149
Blocks: 2078764
TreeView+ depends on / blocked
 
Reported: 2022-04-26 07:11 UTC by Vipul Nair
Modified: 2024-02-01 03:42 UTC (History)
47 users (show)

Fixed In Version: ejs 3.1.7
Doc Type: If docs needed, set a value
Doc Text:
A Command injection attack was found in ejs (Embedded JavaScript templates) for Node.js, which allows an attacker to execute server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option and overwrites the outputFunctionName option with an arbitrary OS command executed upon template compilation.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Vipul Nair 2022-04-26 07:11:45 UTC 
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

https://eslam.io/posts/ejs-server-side-template-injection-rce/
https://github.com/mde/ejs/releases
Comment 1 Vipul Nair 2022-04-26 07:15:08 UTC 
Created golang-github-hashicorp-consul-api tracking bugs for this issue:

Affects: fedora-all [bug 2078761]


Created golang-github-hashicorp-consul-sdk tracking bugs for this issue:

Affects: fedora-all [bug 2078762]


Created golang-vitess tracking bugs for this issue:

Affects: fedora-all [bug 2078763]


Created vagrant tracking bugs for this issue:

Affects: fedora-all [bug 2078760]
Note You need to log in before you can comment on or make changes to this bug.