nunjucks-3.2.3.tgz: 1 vulnerabilities (highest severity is: 5.5) #25
Description
Vulnerable Library - nunjucks-3.2.3.tgz
A powerful templating engine with inheritance, asynchronous control, and more (jinja2 inspired)
Library home page: https://registry.npmjs.org/nunjucks/-/nunjucks-3.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nunjucks/package.json
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (nunjucks version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2023-2142 |  Medium |
5.5 | nunjucks-3.2.3.tgz | Direct | nunjucks - 3.2.4 | ✅ |
Details
CVE-2023-2142
Vulnerable Library - nunjucks-3.2.3.tgz
A powerful templating engine with inheritance, asynchronous control, and more (jinja2 inspired)
Library home page: https://registry.npmjs.org/nunjucks/-/nunjucks-3.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nunjucks/package.json
Dependency Hierarchy:
- ❌ nunjucks-3.2.3.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Nunjucks is vulnerable to autoescape bypass that may lead to cross site scripting (XSS). It was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character. The issue was patched in version 3.2.4.
Publish Date: 2023-04-18
URL: CVE-2023-2142
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-x77j-w7wf-fjmw
Release Date: 2023-04-18
Fix Resolution: nunjucks - 3.2.4
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.