CVE-2021-32819
HIGH8.0EPSS 89.6%Insecure template handling in Squirrelly
發布日:2021/5/17修改日:2023/11/8
描述
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. Version 9.0.0 has a fix for this issue. For complete details refer to the referenced [GHSL-2021-023](https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/).
受影響套件(1)
- npm/squirrellyfrom 0, < 9.0.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-32819
- ADVISORYhttps://securitylab.github.com/advisories/GHSL-2021-023-squirrelly
- PATCHhttps://github.com/squirrellyjs/squirrelly
- WEBhttps://github.com/squirrellyjs/squirrelly/commit/c12418a026f73df645ba927fd29358efe02fed1e
- WEBhttps://github.com/squirrellyjs/squirrelly/commit/dca7a1e7ee91d8a6ffffb655f3f15647486db9da
- WEBhttps://github.com/squirrellyjs/squirrelly/pull/254