Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTN3NXYtcDU0Yy1mNzR4
ejs is vulnerable to remote code execution due to weak input validation
nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTN3NXYtcDU0Yy1mNzR4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 7 years ago
Updated: about 1 hour ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.01682
EPSS Percentile: 0.87363
Identifiers: GHSA-3w5v-p54c-f74x, CVE-2017-1000228
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000228
- https://github.com/advisories/GHSA-3w5v-p54c-f74x
- https://snyk.io/vuln/npm:ejs:20161128
- https://web.archive.org/web/20171123041219/http://www.securityfocus.com/bid/101897
Affected Packages
npm:ejs
Dependent packages: 15,041Dependent repositories: 1,532,080
Downloads: 76,388,986 last month
Affected Version Ranges: < 2.5.3
Fixed in: 2.5.5
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.1.0, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.8, 1.0.0, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.1, 2.4.2, 2.5.1, 2.5.2
All unaffected versions: 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.6.1, 2.6.2, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 3.0.1, 3.0.2, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10