Description

Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. **Note:** This is exploitable only for users who are rendering templates with user-defined data.

Remediation

References

https://github.com/eta-dev/eta/blob/9c8e4263d3a559444a3881a85c1607bf344d0b28/src/compile-string.ts%23L21

https://github.com/eta-dev/eta/blob/9c8e4263d3a559444a3881a85c1607bf344d0b28/src/file-handlers.ts%23L182

https://github.com/eta-dev/eta/commit/5651392462ee0ff19d77c8481081a99e5b9138dd

https://security.snyk.io/vuln/SNYK-JS-ETA-2936803

Related Vulnerabilities

CVE-2023-32070 Vulnerability in maven package org.xwiki.platform:xwiki-core-rendering-api

CVE-2021-4307 Vulnerability in npm package baobab

CVE-2016-7103 Vulnerability in maven package org.fujion.webjars:jquery-ui

CVE-2017-9791 Vulnerability in maven package org.apache.struts:struts2-struts1-plugin

CVE-2023-46131 Vulnerability in maven package org.grails:grails-web-common

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Broken Link Patch Third Party Advisory NVD-CWE-noinfo