Fluid Attacks Database

Description

ejs template injection vulnerability The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	node-ejs	>=0 <3.1.7-1	3.1.7-1
debian 13	node-ejs	>=0 <3.1.7-1	3.1.7-1
debian 14	node-ejs	>=0 <3.1.7-1	3.1.7-1
npm	ejs	>=0 <3.1.7	3.1.7
debian 11	node-ejs	=2.5.7-3 \|\| >=0 <2.5.7-3+deb11u1	2.5.7-3+deb11u1
rpm rhel8	pcs	-	-

Aliases

1. CVE-2022-290782. NVD-2022-290783. OSV-DEBIAN-2022-290784. OSV-2022-290785. GCVE-2022-290786. SECURITY-TRACKER-CVE-2022-29078

References

1. https://vulncheck.com/cve/CVE-2022-290782. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-29078.yaml3. https://github.com/miko550/CVE-2022-290784. https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf5. https://eslam.io/posts/ejs-server-side-template-injection-rce6. https://github.com/mde/ejs/releases7. https://security.netapp.com/advisory/ntap-20220804-0001