CVE-2021-21353
Remote code execution via the `pretty` option.
描述
### Impact If a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. ### Patches Upgrade to `[email protected]` or `[email protected]` or `[email protected]`, which correctly sanitise the parameter. ### Workarounds If there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade. ### References Original report: https://github.com/pugjs/pug/issues/3312 ### For more information If you believe you have found other vulnerabilities, please **DO NOT** open an issue. Instead, you can follow the instructions in our [Security Policy](https://github.com/pugjs/pug/blob/master/SECURITY.md)
如何修補 CVE-2021-21353
要修補 CVE-2021-21353,請將受影響套件升級到下列已修補版本。
- —升級至 3.0.1 或更新版本
- —升級至 2.0.3 或更新版本
CVE-2021-21353 正在被利用嗎?
低 — EPSS 為 1.8%,目前沒有觀察到大規模利用活動。
受影響套件(2)
- from 0, < 3.0.1
- from 0, < 2.0.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N |