GHSA-7f5c-rpf4-86p8

Source

https://github.com/advisories/GHSA-7f5c-rpf4-86p8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-7f5c-rpf4-86p8/GHSA-7f5c-rpf4-86p8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7f5c-rpf4-86p8

Aliases

CVE-2021-32822

Published

2021-09-02T17:16:46Z

Modified

2023-11-08T04:06:01.378338Z

Severity

4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS Calculator

Summary

Insertion of Sensitive Information into Externally-Accessible File or Directory and Exposure of Sensitive Information to an Unauthorized Actor in hbs

Details

The npm hbs package is an Express view engine wrapper for Handlebars. Depending on usage, users of hbs may be vulnerable to a file disclosure vulnerability. There is currently no patch for this vulnerability. hbs mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options a file disclosure vulnerability may be triggered in downstream applications. For an example PoC see the referenced GHSL-2021-020.

Database specific

{
    "github_reviewed_at": "2021-08-26T17:12:06Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200",
        "CWE-538",
        "CWE-94"
    ],
    "nvd_published_at": "2021-08-16T19:15:00Z",
    "severity": "MODERATE"
}

References

Affected packages

npm / hbs

Package

Name: hbs; View open source insights on deps.dev
Purl: pkg:npm/hbs

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

4.1.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-7f5c-rpf4-86p8/GHSA-7f5c-rpf4-86p8.json"