File disclosure in express-hbs
CVE-2021-32817

5.4MEDIUM

Key Information:

Vendor

Tryghost

Status
Express-hbs
Vendor
CVE Published:
14 May 2021

What is CVE-2021-32817?

express-hbs is an Express handlebars template engine. express-hbs mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extentions (i.e. file.extension) can be included, files that lack an extension will have .hbs appended to them. For complete details refer to the referenced GHSL-2021-019 report. Notes in documentation have been added to help users of express-hbs avoid this potential information exposure vulnerability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

express-hbs < 2.4.0

References

https://securitylab.github.com/advisories/GHSL-2021-019-e...
x_refsource_CONFIRM
https://www.npmjs.com/package/express-hbs
x_refsource_MISC
https://github.com/TryGhost/express-hbs#%EF%B8%8F-this-cr...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.