CVE-2023-29827: Critical severity ejs vulnerability
Published May 4, 2023
·Updated
DISPUTED ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with untrusted input.
Affected Software
2 affected components
ejs Ejs Node.js=3.1.9
ejs Ejs Node.js>=3.1.9
Remediation
Patch Available
Event History
May 4, 2023
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Data Sourced
02:15 PM
Description
Disputed
02:15 PM
Data Sourced
via NVD·02:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2023-29827.
2
What is the severity of CVE-2023-29827?
The severity of CVE-2023-29827 is critical.
3
How does the vulnerability in ejs v3.1.9 manifest?
The vulnerability in ejs v3.1.9 allows for server-side template injection if the ejs file is controllable.
4
How can template injection be implemented in ejs v3.1.9?
Template injection can be implemented through the configuration settings of the closeDelimiter parameter.
5
Is there a fix available for this vulnerability?
Yes, the vendor has provided a fix for this vulnerability in later versions of ejs.