CVE-2022-25967
published 2023-01-30CVE-2022-25967: Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options…
PriorityP259high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.99%
78.2th percentile
Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. **Note:** This is exploitable only for users who are rendering templates with user-defined data.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eta.js | eta | < 2.0.0 | 2.0.0 |
| eta.js | eta | >= 0 < 2.0.0 | 2.0.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable versions of the 'eta' npm package (before 2.0.0) allow RCE via overwriting template engine configuration variables with user-supplied view options passed through the Express render API ↗
- →Exploitation is only possible when templates are rendered with user-defined/user-controlled data; monitor Express render API calls where user input is passed as view options ↗
- ·The vulnerability requires user-controlled data to be passed into the Express render API view options; deployments not exposing template rendering to user input are not affected ↗
- ·The OpenShift Developer Tools package 'odo' which depends on eta is marked 'Will not fix' by Red Hat ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Eta vulnerable to Code Injection via templates rendered with user-defined data
ghsa·2023-01-30
CVE-2022-25967 [HIGH] CWE-94 Eta vulnerable to Code Injection via templates rendered with user-defined data
Eta vulnerable to Code Injection via templates rendered with user-defined data
Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. **Note:** This is exploitable only for users who are rendering templates with user-defined data.
OSV
Eta vulnerable to Code Injection via templates rendered with user-defined data
osv·2023-01-30
CVE-2022-25967 [HIGH] Eta vulnerable to Code Injection via templates rendered with user-defined data
Eta vulnerable to Code Injection via templates rendered with user-defined data
Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. **Note:** This is exploitable only for users who are rendering templates with user-defined data.
Red Hat
eta: Remote Code Execution by overwriting template engine configuration variables
vendor_redhat·2023-01-30·CVSS 8.1
CVE-2022-25967 [HIGH] CWE-94 eta: Remote Code Execution by overwriting template engine configuration variables
eta: Remote Code Execution by overwriting template engine configuration variables
Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API.
**Note:** This is exploitable only for users who are rendering templates with user-defined data.
A flaw was found in the ETA npm package. Affected versions of this package are vulnerable to remote code execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API.
Package: odo (OpenShift Developer Tools and Services) - Will not fix
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/eta-dev/eta/blob/9c8e4263d3a559444a3881a85c1607bf344d0b28/src/compile-string.ts%23L21https://github.com/eta-dev/eta/blob/9c8e4263d3a559444a3881a85c1607bf344d0b28/src/file-handlers.ts%23L182https://github.com/eta-dev/eta/commit/5651392462ee0ff19d77c8481081a99e5b9138ddhttps://security.snyk.io/vuln/SNYK-JS-ETA-2936803https://github.com/eta-dev/eta/blob/9c8e4263d3a559444a3881a85c1607bf344d0b28/src/compile-string.ts%23L21https://github.com/eta-dev/eta/blob/9c8e4263d3a559444a3881a85c1607bf344d0b28/src/file-handlers.ts%23L182https://github.com/eta-dev/eta/commit/5651392462ee0ff19d77c8481081a99e5b9138ddhttps://security.snyk.io/vuln/SNYK-JS-ETA-2936803https://security.snyk.io/vuln/SNYK-JS-ETA-2936803
2023-01-30
Published