[Git][security-tracker-team/security-tracker][master] CVE-2022-29078/node-ejs unfixed 1010359

[Neil Williams (@codehelp)]

Neil Williams pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1b822951 by Neil Williams at 2022-04-29T14:30:25+01:00
CVE-2022-29078/node-ejs unfixed 1010359

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2332,7 +2332,9 @@ CVE-2022-29080 (The npm-dependency-versions package through 0.3.0 for Node.js al
 CVE-2022-29079
 	RESERVED
 CVE-2022-29078 (The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js  ...)
-	NOT-FOR-US: ejs Node.js package
+	- node-ejs <unfixed> (bug #1010359)
+	NOTE: https://eslam.io/posts/ejs-server-side-template-injection-rce/
+	NOTE: https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf (v3.1.7)
 CVE-2022-29077 (A heap-based buffer overflow exists in rippled before 1.8.5. The vulne ...)
 	NOT-FOR-US: XRP rippled
 CVE-2022-29076



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b822951b10c0a7816a3a64181ca1d62f7e3aa70

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b822951b10c0a7816a3a64181ca1d62f7e3aa70
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220429/76daeb72/attachment.htm>