File disclosure in express-hbs
CVE-2021-32817

5.4MEDIUM

Key Information:

Vendor: Tryghost
Status: Express-hbs
Vendor: CVE Published:; 14 May 2021

What is CVE-2021-32817?

express-hbs is an Express handlebars template engine. express-hbs mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extentions (i.e. file.extension) can be included, files that lack an extension will have .hbs appended to them. For complete details refer to the referenced GHSL-2021-019 report. Notes in documentation have been added to help users of express-hbs avoid this potential information exposure vulnerability.

Affected Version(s)

express-hbs < 2.4.0

References

https://securitylab.github.com/advisories/GHSL-2021-019-e...

x_refsource_CONFIRM

https://www.npmjs.com/package/express-hbs

x_refsource_MISC

https://github.com/TryGhost/express-hbs#%EF%B8%8F-this-cr...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2021
Vulnerability Reserved
May 12, 2021

Tryghost

What is CVE-2021-32817?

Affected Version(s)

References

CVSS V3.1

Timeline