CVE-2021-32820 (Medium) detected in express-handlebars-5.3.2.tgz

Question

CVE-2021-32820 (Medium) detected in express-handlebars-5.3.2.tgz

Closed this issue 4 years ago · 0 comments

mend-bolt-for-github commented 4 years ago

CVE-2021-32820 - Medium Severity Vulnerability

Vulnerable Library - express-handlebars-5.3.2.tgz

A Handlebars view engine for Express which doesn't suck.

Library home page: https://registry.npmjs.org/express-handlebars/-/express-handlebars-5.3.2.tgz

Path to dependency file: keycloak-radius-plugin/Examples/OTPPasswordJSExample/package.json

Path to vulnerable library: keycloak-radius-plugin/Examples/OTPPasswordJSExample/node_modules/express-handlebars/package.json,keycloak-radius-plugin/Examples/ConditionAccessRequestJSExample/node_modules/express-handlebars/package.json,keycloak-radius-plugin/Examples/OneTimePasswordJSExample/node_modules/express-handlebars/package.json,keycloak-radius-plugin/Examples/RadiusDefaultRealmJSExample/node_modules/express-handlebars/package.json,keycloak-radius-plugin/Examples/RadiusAuthorizationJSExample/node_modules/express-handlebars/package.json

Dependency Hierarchy:

❌ express-handlebars-5.3.2.tgz (Vulnerable Library)

Found in HEAD commit: f42eb0ebaedc72304029b423e82fc408cd7863b8

Found in base branch: master

Vulnerability Details

Express-handlebars is a Handlebars view engine for Express. Express-handlebars mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extentions (i.e. file.extension) can be included, files that lack an extension will have .handlebars appended to them. For complete details refer to the referenced GHSL-2021-018 report. Notes in documentation have been added to help users avoid this potential information exposure vulnerability.

Publish Date: 2021-05-14

URL: CVE-2021-32820

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here