Information Exposure Affecting angular-server-side-configuration package, versions >=15.0.0 <15.1.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-ANGULARSERVERSIDECONFIGURATION-3373048
- published 26 Mar 2023
- disclosed 26 Mar 2023
- credit milo526
Introduced: 26 Mar 2023
CVE-2023-28444 Open this link in a new tabHow to fix?
Upgrade angular-server-side-configuration to version 15.1.0 or higher.
Overview
angular-server-side-configuration is a Configure an angular application on the server
Affected versions of this package are vulnerable to Information Exposure. angular-server-side-configuration detects used environment variables in TypeScript (.ts) files during build time of an Angular CLI project. The detected environment variables are written to an ngssc.json file in the output directory. During deployment of an Angular based app, the environment variables based on the variables from ngssc.json are inserted into the app's index.html (or defined index file).
In version 15.0.0 the environment variable detection was widened to the entire project, relative to the angular.json file from the Angular CLI. In a monorepo setup, this could lead to environment variables intended for a backend/service to be detected and written to the ngssc.json, which would then be populated and exposed via index.html.
Note This has no impact in a plain Angular project that has no backend component.