CVE-2021-32822
Last modified
CVE-2021-32822 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. The npm hbs package is an Express view engine wrapper for Handlebars. Depending on usage, users of hbs may be vulnerable to a file disclosure vulnerability. EPSS estimates a 1.18% chance of exploitation in the next 30 days.
Description
The npm hbs package is an Express view engine wrapper for Handlebars. Depending on usage, users of hbs may be vulnerable to a file disclosure vulnerability. There is currently no patch for this vulnerability. hbs mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options a file disclosure vulnerability may be triggered in downstream applications. For an example PoC see the referenced GHSL-2021-020.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Hbs Project | Hbs | All versions |
References
- https://securitylab.github.com/advisories/GHSL-2021-020-pillarjs-hbs/Exploit, Third Party Advisory
- https://securitylab.github.com/advisories/GHSL-2021-020-pillarjs-hbs/Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-32822?
How severe is CVE-2021-32822?
How do I fix CVE-2021-32822?
Are you affected by CVE-2021-32822?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST