File disclosure in hbs
CVE-2021-32822

4MEDIUM

Key Information:

Vendor: Pillarjs
Status: Hbs
Vendor: CVE Published:; 16 August 2021

What is CVE-2021-32822?

The npm hbs package is an Express view engine wrapper for Handlebars. Depending on usage, users of hbs may be vulnerable to a file disclosure vulnerability. There is currently no patch for this vulnerability. hbs mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options a file disclosure vulnerability may be triggered in downstream applications. For an example PoC see the referenced GHSL-2021-020.

Affected Version(s)

hbs all

References

https://securitylab.github.com/advisories/GHSL-2021-020-p...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 16, 2021
Vulnerability Reserved
May 12, 2021

Pillarjs

What is CVE-2021-32822?

Affected Version(s)

References

CVSS V3.1

Timeline