Remote Code Execution (RCE) Affecting org.webjars.npm:pug-code-gen package, versions [0,]
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
4.07% (93rd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGWEBJARSNPM-1082233
- published 1 Mar 2021
- disclosed 10 Feb 2021
- credit CykuTW
Introduced: 10 Feb 2021
CVE-2021-21353 Open this link in a new tabHow to fix?
There is no fixed version for org.webjars.npm:pug-code-gen
.
Overview
org.webjars.npm:pug-code-gen is a Default code-generator for pug. It generates HTML via a JavaScript template function.
Affected versions of this package are vulnerable to Remote Code Execution (RCE). If a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.
References
CVSS Scores
version 3.1