Transitive vulnerability in ejs v3.1.8

Question

Transitive vulnerability in ejs v3.1.8

filiar opened this issue a year ago · comments

BlackDuck scan reports medium security risk in ejs v3.1.8 (transitive dependency for oclif/core v2.15.0).

Description
ejs is vulnerable to server-side template injection (SSTI) leading to remote code execution (RCE) when an application using ejs has user controlled input passed directly into the res.render() function. This could allow a remote attacker to execute commands on the underlying web server of such an application.

There is a fix available in ejs v3.1.8.

Could you please migrate to using the recommended ejs version.

Kind Regards!
Iliya

Cristian Dominguez · Answer 1 · Tue Sep 12 2023 21:03:05 GMT+0800 (China Standard Time)

Hi @filiar
We are already using ejs@3.1.8 in oclif/core:

Also, ejs explicitly list this kind of reports as out of scope in its security policy, see:
https://github.com/mde/ejs/security#out-of-scope-vulnerabilities

Iliya Chepishev · Answer 2 · Wed Sep 13 2023 18:19:52 GMT+0800 (China Standard Time)

Hi, @cristiand391.

Thank you for the prompt response. BlackDuck is reporting v3.1.8 as containing security risk. It is my mistake and the fix is in v3.1.9.

Our security team is pressing us to act on that. So if you can revise, switching to ejs v3.1.9.

Kind Regards,
Iliya

Cristian Dominguez · Answer 3 · Thu Sep 14 2023 22:05:26 GMT+0800 (China Standard Time)

Our security team is pressing us to act on that. So if you can revise, switching to ejs v3.1.9.

@filiar yeah, we get those security scanner alerts from other customers in our CLI too 😄 . Seems it just a minor bump anyway, I'll merge your PR next week. Thanks!