CVE-2024-33883
published 2024-04-28CVE-2024-33883: The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
PriorityP414medium4CVSS 3.1
AVLACLPRNUINSUCNINAL
EPSS
0.61%
44.9th percentile
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-ejs | < node-ejs 3.1.10+~3.1.5-1 (forky) | node-ejs 3.1.10+~3.1.5-1 (forky) |
| ejs | ejs | >= 0 < 3.1.10 | 3.1.10 |
CVSS provenance
nvdv3.14.0MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
osv4.0MEDIUM
vendor_debian4.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-33883: The ejs (aka Embedded JavaScript templates) package before 3
osv·2024-04-28·CVSS 4.0
CVE-2024-33883 [MEDIUM] CVE-2024-33883: The ejs (aka Embedded JavaScript templates) package before 3
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
OSV
ejs lacks certain pollution protection
osv·2024-04-28
CVE-2024-33883 [MEDIUM] ejs lacks certain pollution protection
ejs lacks certain pollution protection
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
GHSA
ejs lacks certain pollution protection
ghsa·2024-04-28
CVE-2024-33883 [MEDIUM] CWE-1321 ejs lacks certain pollution protection
ejs lacks certain pollution protection
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
Debian
CVE-2024-33883: node-ejs - The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js la...
vendor_debian·2024·CVSS 4.0
CVE-2024-33883 [MEDIUM] CVE-2024-33883: node-ejs - The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js la...
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 3.1.10+~3.1.5-1)
sid: resolved (fixed in 3.1.10+~3.1.5-1)
trixie: resolved (fixed in 3.1.10+~3.1.5-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5https://github.com/mde/ejs/compare/v3.1.9...v3.1.10https://security.netapp.com/advisory/ntap-20240605-0003/https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5https://github.com/mde/ejs/compare/v3.1.9...v3.1.10https://security.netapp.com/advisory/ntap-20240605-0003/
2024-04-28
Published