CVE-2024-45390

Published Sep 3, 2024

Last updated 2 months ago

CVSS critical 9.8

Overview

Description: @blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, don't pass untrusted input as the template display name, or don't use the display name feature.
Source: security-advisories@github.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

nvd@nist.gov: CWE-94
security-advisories@github.com: CWE-94

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:blakeembrey:template:*:*:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2DEB203C-CE34-41AC-A98C-38B707AC7E8D",
            "versionEndExcluding": "1.2.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References