CVE-2021-21353
published 2021-03-03CVE-2021-21353: Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of…
PriorityP260critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
EPSS
4.27%
89.9th percentile
Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pugjs | pug | < 3.0.1 | 3.0.1 |
| pugjs | pug | >= 0 < 3.0.1 | 3.0.1 |
| pugjs | pug-code-gen | < 2.0.3 | 2.0.3 |
| pugjs | pug-code-gen | >= 0 < 2.0.3 | 2.0.3 |
| pugjs | pug-code-gen | >= 3.0.0 < 3.0.2 | 3.0.2 |
| pugjs | pug-code-gen | >= 3.0.0 < 3.0.2 | 3.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Attacker-controlled `pretty` option passed to the pug compiler enables RCE; monitor for user-supplied objects (e.g. query parameters) being spread into pug template inputs, particularly the `pretty` field. ↗
- →Audit Node.js applications using the `pug` or `pug-code-gen` npm packages for versions prior to 3.0.1 (pug) or 2.0.3 (pug-code-gen) that accept untrusted input into the `pretty` compiler option. ↗
- →The openshift-logging/kibana6-rhel8 container image is a known affected package; flag deployments of this image for patching. ↗
- ·The vulnerability is NOT exploitable if untrusted input cannot reach the `pretty` option of the pug compiler (e.g. templates are compiled in advance before user input is applied). ↗
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
pug: user provided objects as input to pug templates can achieve remote code execution
vendor_redhat·2021-02-28·CVSS 6.8
CVE-2021-21353 [MEDIUM] CWE-1336 pug: user provided objects as input to pug templates can achieve remote code execution
pug: user provided objects as input to pug templates can achieve remote code execution
Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying
OSV
Remote code execution via the `pretty` option.
osv·2021-03-03
CVE-2021-21353 [MEDIUM] Remote code execution via the `pretty` option.
Remote code execution via the `pretty` option.
### Impact
If a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.
### Patches
Upgrade to `[email protected]` or `[email protected]` or `[email protected]`, which correctly sanitise the parameter.
### Workarounds
If there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.
### References
Original report: https://github.com/pugjs/pug/issues/3312
### For more information
If you believe you have fo
GHSA
Remote code execution via the `pretty` option.
ghsa·2021-03-03
CVE-2021-21353 [MEDIUM] CWE-74 Remote code execution via the `pretty` option.
Remote code execution via the `pretty` option.
### Impact
If a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.
### Patches
Upgrade to `[email protected]` or `[email protected]` or `[email protected]`, which correctly sanitise the parameter.
### Workarounds
If there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.
### References
Original report: https://github.com/pugjs/pug/issues/3312
### For more information
If you believe you have fo
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0https://github.com/pugjs/pug/issues/3312https://github.com/pugjs/pug/pull/3314https://github.com/pugjs/pug/releases/tag/pug%403.0.1https://github.com/pugjs/pug/security/advisories/GHSA-p493-635q-r6grhttps://www.npmjs.com/package/pughttps://www.npmjs.com/package/pug-code-genhttps://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0https://github.com/pugjs/pug/issues/3312https://github.com/pugjs/pug/pull/3314https://github.com/pugjs/pug/releases/tag/pug%403.0.1https://github.com/pugjs/pug/security/advisories/GHSA-p493-635q-r6grhttps://www.npmjs.com/package/pughttps://www.npmjs.com/package/pug-code-gen
2021-03-03
Published