CVE-2017-1000228: Input Validation

Q: What is CVE-2017-1000228?

CVE-2017-1000228 is a vulnerability in nodejs ejs versions older than 2.5.3 that allows remote code execution due to weak input validation in the `ejs.renderFile()` function.

Q: How severe is CVE-2017-1000228?

CVE-2017-1000228 has a severity rating of 9.8, which is considered critical.

Q: Which versions of nodejs ejs are affected by CVE-2017-1000228?

Versions of nodejs ejs older than 2.5.3 are affected by CVE-2017-1000228.

Q: How can I fix CVE-2017-1000228?

To fix CVE-2017-1000228, upgrade to version 2.5.5 of the nodejs ejs package.

Q: What is the Common Weakness Enumeration (CWE) ID for CVE-2017-1000228?

CVE-2017-1000228 is associated with CWE-20, which is Improper Input Validation.

Published Nov 17, 2017

Updated

nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function

Other sources

nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function

Affected Software

2 affected componentsFixes available

npm/ejs<2.5.3

2.5.5

ejs ejs<2.5.3

Event History

Nov 17, 2017

CVE Published

via MITRE·03:00 AM

Data Sourced

via MITRE·03:00 AM

Description

Nov 30, 2017

Advisory Published

11:15 PM

Frequently Asked Questions

What is CVE-2017-1000228?

CVE-2017-1000228 is a vulnerability in nodejs ejs versions older than 2.5.3 that allows remote code execution due to weak input validation in the `ejs.renderFile()` function.

How severe is CVE-2017-1000228?

CVE-2017-1000228 has a severity rating of 9.8, which is considered critical.

Which versions of nodejs ejs are affected by CVE-2017-1000228?

Versions of nodejs ejs older than 2.5.3 are affected by CVE-2017-1000228.

How can I fix CVE-2017-1000228?