*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Path to vulnerable library: /package.json,/scripts/auto_backtester/node_modules/minimatch/package.json,/scripts/genetic_backtester/node_modules/minimatch/package.json
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2021-0153
### Vulnerable Library - ejs-3.1.5.tgzEmbedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - :x: **ejs-3.1.5.tgz** (Vulnerable Library)
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Found in base branch: unstable
### Vulnerability DetailsArbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.
Publish Date: 2021-01-22
URL: WS-2021-0153
### Threat AssessmentExploit Maturity: Not Defined
EPSS:
### CVSS 4 Score Details (9.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-01-22
Fix Resolution: 3.1.6
In order to enable automatic remediation, please create workflow rules
CVE-2022-29078
### Vulnerable Library - ejs-3.1.5.tgzEmbedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - :x: **ejs-3.1.5.tgz** (Vulnerable Library)
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Found in base branch: unstable
### Vulnerability DetailsThe ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Publish Date: 2022-04-25
URL: CVE-2022-29078
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 35.3%
### CVSS 4 Score Details (9.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~
Release Date: 2022-04-25
Fix Resolution: 3.1.7
In order to enable automatic remediation, please create workflow rules
CVE-2024-33883
### Vulnerable Library - ejs-3.1.5.tgzEmbedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - :x: **ejs-3.1.5.tgz** (Vulnerable Library)
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Found in base branch: unstable
### Vulnerability DetailsThe ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
Publish Date: 2024-04-28
URL: CVE-2024-33883
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 4 Score Details (8.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-33883
Release Date: 2024-04-28
Fix Resolution: ejs - 3.1.10
In order to enable automatic remediation, please create workflow rules
CVE-2022-3517
### Vulnerable Library - minimatch-3.0.4.tgza glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/scripts/auto_backtester/node_modules/minimatch/package.json,/scripts/genetic_backtester/node_modules/minimatch/package.json
Dependency Hierarchy: - ejs-3.1.5.tgz (Root Library) - jake-10.8.2.tgz - :x: **minimatch-3.0.4.tgz** (Vulnerable Library)
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Found in base branch: unstable
### Vulnerability DetailsA vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (8.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
In order to enable automatic remediation for this issue, please create workflow rules