Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2021-21353
Summary
In pug-code-gen before version 2.0.3 and 3.x before 3.0.2, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug-code-gen template inputs, it was possible for them to achieve remote code execution on the node.js backend. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug-code-gen as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.
- HIGH
- NETWORK
- HIGH
- CHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-74 - Injection
Listed as the number one web application security risk on the 'OWASP Top Ten', injection attacks are widespread and dangerous, especially in legacy applications. Injection attacks are a class of vulnerabilities in which an attacker injects untrusted data into a web application that gets processed by an interpreter, altering the program's execution. This can result in data loss/theft, loss of data integrity, denial of service, and even compromising the entire system.
References
Advisory Timeline
- Published