ejs-3.1.5.tgz: 4 vulnerabilities (highest severity is: 9.3) - autoclosed

Vulnerable Library - ejs-3.1.5.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (ejs version)	Remediation Possible**
WS-2021-0153	Critical	9.3	Not Defined		ejs-3.1.5.tgz	Direct	3.1.6	✅
CVE-2022-29078	Critical	9.3	Not Defined	35.3%	ejs-3.1.5.tgz	Direct	3.1.7	✅
CVE-2024-33883	High	8.7	Not Defined	0.0%	ejs-3.1.5.tgz	Direct	ejs - 3.1.10	✅
CVE-2022-3517	High	8.7	Not Defined	0.1%	minimatch-3.0.4.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2021-0153

### Vulnerable Library - ejs-3.1.5.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy: - :x: **ejs-3.1.5.tgz** (Vulnerable Library)

Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856

Found in base branch: unstable

### Vulnerability Details

Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Publish Date: 2021-01-22

URL: WS-2021-0153

### Threat Assessment

Exploit Maturity: Not Defined

EPSS:

### CVSS 4 Score Details (9.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2021-01-22

Fix Resolution: 3.1.6

In order to enable automatic remediation, please create workflow rules

CVE-2022-29078

### Vulnerable Library - ejs-3.1.5.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy: - :x: **ejs-3.1.5.tgz** (Vulnerable Library)

Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856

Found in base branch: unstable

### Vulnerability Details

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Publish Date: 2022-04-25

URL: CVE-2022-29078

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 35.3%

### CVSS 4 Score Details (9.3)

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~

Release Date: 2022-04-25

Fix Resolution: 3.1.7

In order to enable automatic remediation, please create workflow rules

CVE-2024-33883

### Vulnerable Library - ejs-3.1.5.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy: - :x: **ejs-3.1.5.tgz** (Vulnerable Library)

Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856

Found in base branch: unstable

### Vulnerability Details

The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.

Publish Date: 2024-04-28

URL: CVE-2024-33883

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

### CVSS 4 Score Details (8.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-33883

Release Date: 2024-04-28

Fix Resolution: ejs - 3.1.10

In order to enable automatic remediation, please create workflow rules

CVE-2022-3517

### Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/scripts/auto_backtester/node_modules/minimatch/package.json,/scripts/genetic_backtester/node_modules/minimatch/package.json

Dependency Hierarchy: - ejs-3.1.5.tgz (Root Library) - jake-10.8.2.tgz - :x: **minimatch-3.0.4.tgz** (Vulnerable Library)

Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856

Found in base branch: unstable

### Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 4 Score Details (8.7)

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

In order to enable automatic remediation for this issue, please create workflow rules

rsoreq / zenbot

ejs-3.1.5.tgz: 4 vulnerabilities (highest severity is: 9.3) - autoclosed #858

Vulnerabilities

Details