-
Notifications
You must be signed in to change notification settings - Fork 868
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-29078 (High) detected in ejs-3.1.6.tgz - autoclosed #1501
Labels
cve
Security vulnerabilities detected by Dependabot or Mend
high severity
High severity CVE
Mend: dependency security vulnerability
Security vulnerability detected by Mend
v1.3.2
v2.0.0
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
Security vulnerability detected by Mend
label
Apr 27, 2022
tmarkley
added
high severity
High severity CVE
cve
Security vulnerabilities detected by Dependabot or Mend
labels
Apr 28, 2022
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory. |
mend-for-github-com
bot
changed the title
CVE-2022-29078 (High) detected in ejs-3.1.6.tgz
CVE-2022-29078 (High) detected in ejs-3.1.6.tgz - autoclosed
Apr 29, 2022
tmarkley
pushed a commit
to tmarkley/OpenSearch-Dashboards
that referenced
this issue
Apr 29, 2022
Bumps [ejs](https://github.com/mde/ejs) from 3.1.6 to 3.1.7. - [Release notes](https://github.com/mde/ejs/releases) - [Changelog](https://github.com/mde/ejs/blob/main/CHANGELOG.md) - [Commits](mde/ejs@v3.1.6...v3.1.7) Resolves opensearch-project#1501 - CVE-2022-29078 --- updated-dependencies: - dependency-name: ejs dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tommy Markley <markleyt@amazon.com>
1 task
tmarkley
pushed a commit
to tmarkley/OpenSearch-Dashboards
that referenced
this issue
Apr 29, 2022
Bumps [ejs](https://github.com/mde/ejs) from 3.1.6 to 3.1.7. - [Release notes](https://github.com/mde/ejs/releases) - [Changelog](https://github.com/mde/ejs/blob/main/CHANGELOG.md) - [Commits](mde/ejs@v3.1.6...v3.1.7) Resolves opensearch-project#1501 - CVE-2022-29078 --- updated-dependencies: - dependency-name: ejs dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tommy Markley <markleyt@amazon.com>
1 task
tmarkley
pushed a commit
that referenced
this issue
Apr 29, 2022
Bumps [ejs](https://github.com/mde/ejs) from 3.1.6 to 3.1.7. - [Release notes](https://github.com/mde/ejs/releases) - [Changelog](https://github.com/mde/ejs/blob/main/CHANGELOG.md) - [Commits](mde/ejs@v3.1.6...v3.1.7) Resolves #1501 --- updated-dependencies: - dependency-name: ejs dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit 886f3e3)
ashwin-pc
pushed a commit
that referenced
this issue
Apr 29, 2022
Bumps [ejs](https://github.com/mde/ejs) from 3.1.6 to 3.1.7. - [Release notes](https://github.com/mde/ejs/releases) - [Changelog](https://github.com/mde/ejs/blob/main/CHANGELOG.md) - [Commits](mde/ejs@v3.1.6...v3.1.7) Resolves #1501 - CVE-2022-29078 --- updated-dependencies: - dependency-name: ejs dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tommy Markley <markleyt@amazon.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
ashwin-pc
pushed a commit
that referenced
this issue
Apr 29, 2022
Bumps [ejs](https://github.com/mde/ejs) from 3.1.6 to 3.1.7. - [Release notes](https://github.com/mde/ejs/releases) - [Changelog](https://github.com/mde/ejs/blob/main/CHANGELOG.md) - [Commits](mde/ejs@v3.1.6...v3.1.7) Resolves #1501 - CVE-2022-29078 --- updated-dependencies: - dependency-name: ejs dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tommy Markley <markleyt@amazon.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
tmarkley
pushed a commit
that referenced
this issue
May 3, 2022
Bumps [ejs](https://github.com/mde/ejs) from 3.1.6 to 3.1.7. - [Release notes](https://github.com/mde/ejs/releases) - [Changelog](https://github.com/mde/ejs/blob/main/CHANGELOG.md) - [Commits](mde/ejs@v3.1.6...v3.1.7) Resolves #1501 - CVE-2022-29078 --- updated-dependencies: - dependency-name: ejs dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit 886f3e3)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
cve
Security vulnerabilities detected by Dependabot or Mend
high severity
High severity CVE
Mend: dependency security vulnerability
Security vulnerability detected by Mend
v1.3.2
v2.0.0
CVE-2022-29078 - High Severity Vulnerability
Vulnerable Library - ejs-3.1.6.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.6.tgz
Dependency Hierarchy:
Found in HEAD commit: f9e572d50be9bd7e9baf8b4387af40b0252cec4a
Found in base branch: main
Vulnerability Details
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Publish Date: 2022-04-25
URL: CVE-2022-29078
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~
Release Date: 2022-04-25
Fix Resolution: ejs - v3.1.7
The text was updated successfully, but these errors were encountered: