CVE-2024-45390

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-45390
@blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, don't pass untrusted input as the template display name, or don't use the display name feature.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa Patch
https://github.com/blakeembrey/js-template/security/advisories/GHSA-q765-wm9j-66qj Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:blakeembrey:template:*:*:*:*:*:node.js:*:*
History

12 Sep 2024, 20:15

Type Values Removed Values Added
CPE cpe:2.3:a:blakeembrey:template:*:*:*:*:*:node.js:*:*
CVSS v2 : unknown
v3 : 7.3 		v2 : unknown
v3 : 9.8
First Time Blakeembrey template
Blakeembrey
References () https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa - () https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa - Patch
References () https://github.com/blakeembrey/js-template/security/advisories/GHSA-q765-wm9j-66qj - () https://github.com/blakeembrey/js-template/security/advisories/GHSA-q765-wm9j-66qj - Vendor Advisory

04 Sep 2024, 13:05

Type Values Removed Values Added
Summary
  • (es) @blakeembrey/template es una librería de plantillas de cadenas. Antes de la versión 1.2.0, era posible inyectar y ejecutar código dentro de la plantilla si el atacante tenía acceso para escribir el nombre de la plantilla. La versión 1.2.0 contiene un parche. Como workaround, no pase una entrada que no sea de confianza como nombre para mostrar de la plantilla o no use la función de nombre para mostrar.

03 Sep 2024, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-03 20:15

Updated : 2024-09-12 20:15

NVD link : CVE-2024-45390

Mitre link : CVE-2024-45390

CVE.ORG link : CVE-2024-45390

JSON object : View

Products Affected

blakeembrey

  • template
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')