CVE-2017-1000189
published 2017-11-17CVE-2017-1000189: nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile()
PriorityP335high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
2.27%
80.8th percentile
nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile()
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-ejs | < node-ejs 2.5.7-1 (bookworm) | node-ejs 2.5.7-1 (bookworm) |
| ejs | ejs | < 2.5.5 | 2.5.5 |
| ejs | ejs | >= 0 < 2.5.5 | 2.5.5 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2017-1000189: node-ejs - nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to ...
vendor_debian·2017·CVSS 7.5
CVE-2017-1000189 [HIGH] CVE-2017-1000189: node-ejs - nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to ...
nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile()
Scope: local
bookworm: resolved (fixed in 2.5.7-1)
bullseye: resolved (fixed in 2.5.7-1)
forky: resolved (fixed in 2.5.7-1)
sid: resolved (fixed in 2.5.7-1)
trixie: resolved (fixed in 2.5.7-1)
Red Hat
nodejs-ejs: Denial of Service via renderFile() by overriding localNames
vendor_redhat·2016-12-06·CVSS 7.5
CVE-2017-1000189 [HIGH] CWE-88 nodejs-ejs: Denial of Service via renderFile() by overriding localNames
nodejs-ejs: Denial of Service via renderFile() by overriding localNames
nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile()
Package: fh-appstore (Red Hat Mobile Application Platform 4) - Not affected
Package: fh-ngui (Red Hat Mobile Application Platform 4) - Not affected
OSV
ejs vulnerable to DoS due to weak input validation
osv·2018-03-05
CVE-2017-1000189 [HIGH] ejs vulnerable to DoS due to weak input validation
ejs vulnerable to DoS due to weak input validation
nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in `ejs.renderFile()`
GHSA
ejs vulnerable to DoS due to weak input validation
ghsa·2018-03-05
CVE-2017-1000189 [HIGH] CWE-20 ejs vulnerable to DoS due to weak input validation
ejs vulnerable to DoS due to weak input validation
nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in `ejs.renderFile()`
OSV
CVE-2017-1000189: nodejs ejs version older than 2
osv·2017-11-17·CVSS 7.5
CVE-2017-1000189 [HIGH] CVE-2017-1000189: nodejs ejs version older than 2
nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile()
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-1000189 nodejs-ejs: Denial of Service via renderFile() by overriding localNames
bugzilla·2016-12-13·CVSS 7.5
CVE-2017-1000189 [HIGH] CVE-2017-1000189 nodejs-ejs: Denial of Service via renderFile() by overriding localNames
CVE-2017-1000189 nodejs-ejs: Denial of Service via renderFile() by overriding localNames
It was found that nodejs-ejs < 2.5.5 is vulnerable to DoS issue by letting the attacker under certain conditions control and override the localNames option causing it to crash.
Upstream patch:
https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f
External Reference:
https://snyk.io/vuln/npm:ejs:20161130-1
Discussion:
Created nodejs-ejs tracking bugs for this issue:
Affects: fedora-all [bug 1404189]
Affects: epel-all [bug 1404190]
Bugzilla
CVE-2017-1000188 CVE-2017-1000189 nodejs-ejs: various flaws [epel-all]
bugzilla·2016-12-13·CVSS 6.1
CVE-2017-1000188 [MEDIUM] CVE-2017-1000188 CVE-2017-1000189 nodejs-ejs: various flaws [epel-all]
CVE-2017-1000188 CVE-2017-1000189 nodejs-ejs: various flaws [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fe
Bugzilla
CVE-2017-1000188 CVE-2017-1000189 nodejs-ejs: various flaws [fedora-all]
bugzilla·2016-12-13·CVSS 6.1
CVE-2017-1000188 [MEDIUM] CVE-2017-1000188 CVE-2017-1000189 nodejs-ejs: various flaws [fedora-all]
CVE-2017-1000188 CVE-2017-1000189 nodejs-ejs: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedor
2017-11-17
Published