CVE-2021-32817

CVSS V2 Medium 4.3 CVSS V3 Medium 6.8
Description
express-hbs is an Express handlebars template engine. express-hbs mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extentions (i.e. file.extension) can be included, files that lack an extension will have .hbs appended to them. For complete details refer to the referenced GHSL-2021-019 report. Notes in documentation have been added to help users of express-hbs avoid this potential information exposure vulnerability.
Overview
  • CVE ID
  • CVE-2021-32817
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2021-05-14T19:15:07
  • Last Modified Date
  • 2022-07-02T18:24:31
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:express_handlebars_project:express_handlebars:*:*:*:*:*:node.js:*:* 1 OR 5.3.2
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:M/Au:N/C:P/I:N/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • MEDIUM
  • Authentication
  • NONE
  • Confidentiality Impact
  • PARTIAL
  • Integrity Impact
  • NONE
  • Availability Impact
  • NONE
  • Base Score
  • 4.3
  • Severity
  • MEDIUM
  • Exploitability Score
  • 8.6
  • Impact Score
  • 2.9
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • HIGH
  • Privileges Required
  • NONE
  • User Interaction
  • NONE
  • Scope
  • CHANGED
  • Confidentiality Impact
  • HIGH
  • Availability Impact
  • NONE
  • Base Score
  • 6.8
  • Base Severity
  • MEDIUM
  • Exploitability Score
  • 2.2
  • Impact Score
  • 4
History
Created Old Value New Value Data Type Notes
2022-05-10 16:15:39 Added to TrackCVE
2022-12-05 02:19:30 2021-05-14T19:15Z 2021-05-14T19:15:07 CVE Published Date updated
2022-12-05 02:19:30 2022-07-02T18:24:31 CVE Modified Date updated
2022-12-05 02:19:30 Analyzed Vulnerability Status updated