Giters

classicvalues / qr1

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2024-33883 (High) detected in ejs-3.1.7.tgz, ejs-3.1.8.tgz

mend-bolt-for-github opened this issue · comments

commented

CVE-2024-33883 - High Severity Vulnerability

Vulnerable Libraries - ejs-3.1.7.tgz, ejs-3.1.8.tgz

ejs-3.1.7.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.7.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/package.json

Dependency Hierarchy:

  • sails-1.5.3.tgz (Root Library)
    • ejs-3.1.7.tgz (Vulnerable Library)
ejs-3.1.8.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.8.tgz

Path to dependency file: /Application/package.json

Path to vulnerable library: /Application/package.json

Dependency Hierarchy:

  • ejs-3.1.8.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.

Publish Date: 2024-04-28

URL: CVE-2024-33883

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-33883

Release Date: 2024-04-28

Fix Resolution: ejs - 3.1.10

Step up your Open Source Security Game with Mend here

commented

This issue won't be fixed & marked as invalid. Closed!