Skip to content

pug-2.0.4.tgz: 1 vulnerabilities (highest severity is: 6.8) #4

New issue
New issue
Open
Open
pug-2.0.4.tgz: 1 vulnerabilities (highest severity is: 6.8)#4
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Jun 2, 2022
Vulnerable Library - pug-2.0.4.tgz

A clean, whitespace-sensitive template language for writing HTML

Library home page: https://registry.npmjs.org/pug/-/pug-2.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pug/package.json

Found in HEAD commit: b3a60f2fbb6a737eb638b50bba11114a200c71e8

Vulnerabilities

Vulnerability Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (pug version) Remediation Possible** Reachability
CVE-2021-21353 Medium 6.8 Not Defined 4.2% pug-2.0.4.tgz Direct pug - 3.0.1,pug-code-gen - 3.0.2,pug-code-gen - 2.0.3

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-21353

Vulnerable Library - pug-2.0.4.tgz

A clean, whitespace-sensitive template language for writing HTML

Library home page: https://registry.npmjs.org/pug/-/pug-2.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pug/package.json

Dependency Hierarchy:

  • pug-2.0.4.tgz (Vulnerable Library)

Found in HEAD commit: b3a60f2fbb6a737eb638b50bba11114a200c71e8

Found in base branch: main

Vulnerability Details

Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the "pretty" option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the "pretty" option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

Publish Date: 2021-03-03

URL: CVE-2021-21353

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 4.2%

CVSS 3 Score Details (6.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p493-635q-r6gr

Release Date: 2021-03-03

Fix Resolution: pug - 3.0.1,pug-code-gen - 3.0.2,pug-code-gen - 2.0.3

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions