Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE4ajYtcHdxeC1wbTk2
Insecure template handling in Squirrelly
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. Version 9.0.0 has a fix for this issue. For complete details refer to the referenced GHSL-2021-023.
Permalink: https://github.com/advisories/GHSA-q8j6-pwqx-pm96JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE4ajYtcHdxeC1wbTk2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: about 1 year ago
CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Identifiers: GHSA-q8j6-pwqx-pm96, CVE-2021-32819
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-32819
- https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/
- https://github.com/squirrellyjs/squirrelly/pull/254
- https://github.com/squirrellyjs/squirrelly/commit/c12418a026f73df645ba927fd29358efe02fed1e
- https://github.com/squirrellyjs/squirrelly/commit/dca7a1e7ee91d8a6ffffb655f3f15647486db9da
- https://github.com/advisories/GHSA-q8j6-pwqx-pm96
Blast Radius: 21.9
Affected Packages
npm:squirrelly
Dependent packages: 95Dependent repositories: 540
Downloads: 116,720 last month
Affected Version Ranges: <= 8.0.8
Fixed in: 9.0.0
All affected versions: 1.0.0, 1.0.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 3.0.0, 3.0.1, 3.0.2, 4.0.0, 4.1.0, 5.0.0, 5.0.1, 5.1.0, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.1.0, 7.1.1, 7.1.3, 7.1.4, 7.1.5, 7.2.0, 7.2.1, 7.3.0, 7.4.0, 7.5.0, 7.5.1, 7.6.0, 7.7.0, 7.8.0, 7.9.0, 7.9.1, 7.9.2, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8
All unaffected versions: 9.0.0, 9.1.0