Description
Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. **Note:** This is exploitable only for users who are rendering templates with user-defined data.
Remediation
References
https://github.com/eta-dev/eta/blob/9c8e4263d3a559444a3881a85c1607bf344d0b28/src/compile-string.ts%23L21
https://github.com/eta-dev/eta/blob/9c8e4263d3a559444a3881a85c1607bf344d0b28/src/file-handlers.ts%23L182
https://github.com/eta-dev/eta/commit/5651392462ee0ff19d77c8481081a99e5b9138dd
https://security.snyk.io/vuln/SNYK-JS-ETA-2936803
Related Vulnerabilities
CVE-2022-21191 Vulnerability in npm package global-modules-path
CVE-2019-10184 Vulnerability in maven package io.undertow:undertow-servlet
CVE-2020-5397 Vulnerability in maven package org.springframework:spring-webflux
CVE-2020-36732 Vulnerability in npm package crypto-js
CVE-2021-32730 Vulnerability in maven package org.xwiki.platform:xwiki-platform-administration-ui