New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EJS, Server side template injection ejs@3.1.9 Latest #720
Comments
|
@pperk this issue was closed shortly after the initial report without comment, can you shed details, was this a false report? I noticed that there was apparently a CVE assigned for this issue, CVE-2023-29827 |
|
Is there any plan to fix this issue . Its affecting us also !! |
|
This is clearly addressed in the SECURITY.md for the project: https://github.com/mde/ejs/blob/main/SECURITY.md#out-of-scope-vulnerabilities In short, don't ever, ever give unfiltered access to EJS's |
|
I do not control any of these supposed vulnerability databases. I have sent an email to NVD. I have sent an issue to GH. Please feel free to contact those entities as well, regarding this issue. |
|
With this approach of detecting vulnerabilities, everything becomes vulnerable, I mean... index.js everyone, please remove python from your computers. |
|
any idea on when we can expect a fix for this CVE ? |
|
Please read the thread. It's not a vulnerability, and I have no control of the databases. Please contact GitHub and NVD about this. |
|
As an FYI @mde It looks like the organisation that assigned the CVE Number is MITRE themselves - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29827 So I think you might need to contact MITRE directly through https://cveform.mitre.org/ and requesting a Rejection of the CVE, as they are the ones who can invalidate it. Github and NVD are just feeding this CVE through from MITRE. |
|
The latest EJS report indicates that the Blackduck scan has been provided, but it states that the issue still persists. |


If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter.It can easily bypass the fix for CVE-2022-29078 in version 3.1.7.
15ee698
index.js
page.ejs
package.json
{ "dependencies": { "ejs": "^3.1.9", "express": "^4.18.2" } }The poc looks like this:
Come to this branch option to realize code splicing execution.
ejs/lib/ejs.js
Line 844 in aed0124
The text was updated successfully, but these errors were encountered: