Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJ3eHAtaHd3Zi02NTN2
Insecure template handling in express-hbs
express-hbs is an Express handlebars template engine. express-hbs mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extentions (i.e. file.extension) can be included, files that lack an extension will have .hbs appended to them. For complete details refer to the referenced GHSL-2021-019 report. Notes in documentation have been added to help users of express-hbs avoid this potential information exposure vulnerability.
Permalink: https://github.com/advisories/GHSA-rwxp-hwwf-653vJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJ3eHAtaHd3Zi02NTN2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: about 1 year ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Identifiers: GHSA-rwxp-hwwf-653v, CVE-2021-32817
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-32817
- https://github.com/TryGhost/express-hbs/commit/ff6fad6e357699412d4e916273314e5e7af1500e
- https://github.com/TryGhost/express-hbs#%EF%B8%8F-this-creates-a-potential-security-vulnerability
- https://securitylab.github.com/advisories/GHSL-2021-019-express-hbs/
- https://www.npmjs.com/package/express-hbs
- https://github.com/advisories/GHSA-rwxp-hwwf-653v
Blast Radius: 20.2
Affected Packages
npm:express-hbs
Dependent packages: 124Dependent repositories: 5,466
Downloads: 58,792 last month
Affected Version Ranges: <= 2.4.0
No known fixed version
All affected versions: 0.1.0, 0.1.1, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.5.0, 0.5.1, 0.5.2, 0.6.1, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.7.9, 0.7.10, 0.7.11, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0