nvd-json-data-feeds/CVE-2024/CVE-2024-453xx/CVE-2024-45390.json

{
  "id": "CVE-2024-45390",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2024-09-03T20:15:08.423",
  "lastModified": "2024-09-12T20:15:15.673",
  "vulnStatus": "Analyzed",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "@blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, don't pass untrusted input as the template display name, or don't use the display name feature."
    },
    {
      "lang": "es",
      "value": "@blakeembrey/template es una librer\u00eda de plantillas de cadenas. Antes de la versi\u00f3n 1.2.0, era posible inyectar y ejecutar c\u00f3digo dentro de la plantilla si el atacante ten\u00eda acceso para escribir el nombre de la plantilla. La versi\u00f3n 1.2.0 contiene un parche. Como workaround, no pase una entrada que no sea de confianza como nombre para mostrar de la plantilla o no use la funci\u00f3n de nombre para mostrar."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "availabilityImpact": "LOW"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.4
      },
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ]
    },
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:blakeembrey:template:*:*:*:*:*:node.js:*:*",
              "versionEndExcluding": "1.2.0",
              "matchCriteriaId": "2DEB203C-CE34-41AC-A98C-38B707AC7E8D"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa",
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://github.com/blakeembrey/js-template/security/advisories/GHSA-q765-wm9j-66qj",
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ]
    }
  ]
}
Auto-Update: 2024-09-03T22:00:17.605221+00:00 2024-09-03 22:03:15 +00:00			`{`
			`"id": "CVE-2024-45390",`
			`"sourceIdentifier": "security-advisories@github.com",`
			`"published": "2024-09-03T20:15:08.423",`
Auto-Update: 2024-09-12T22:00:18.547566+00:00 2024-09-12 22:03:16 +00:00			`"lastModified": "2024-09-12T20:15:15.673",`
			`"vulnStatus": "Analyzed",`
Auto-Update: 2024-09-03T22:00:17.605221+00:00 2024-09-03 22:03:15 +00:00			`"cveTags": [],`
			`"descriptions": [`
			`{`
			`"lang": "en",`
			`"value": "@blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, don't pass untrusted input as the template display name, or don't use the display name feature."`
Auto-Update: 2024-09-04T14:00:36.195174+00:00 2024-09-04 14:03:36 +00:00			`},`
			`{`
			`"lang": "es",`
			`"value": "@blakeembrey/template es una librer\u00eda de plantillas de cadenas. Antes de la versi\u00f3n 1.2.0, era posible inyectar y ejecutar c\u00f3digo dentro de la plantilla si el atacante ten\u00eda acceso para escribir el nombre de la plantilla. La versi\u00f3n 1.2.0 contiene un parche. Como workaround, no pase una entrada que no sea de confianza como nombre para mostrar de la plantilla o no use la funci\u00f3n de nombre para mostrar."`
Auto-Update: 2024-09-03T22:00:17.605221+00:00 2024-09-03 22:03:15 +00:00			`}`
			`],`
			`"metrics": {`
			`"cvssMetricV31": [`
Auto-Update: 2024-09-12T22:00:18.547566+00:00 2024-09-12 22:03:16 +00:00			`{`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`"source": "security-advisories@github.com",`
			`"type": "Secondary",`
Auto-Update: 2024-09-12T22:00:18.547566+00:00 2024-09-12 22:03:16 +00:00			`"cvssData": {`
			`"version": "3.1",`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",`
			`"baseScore": 7.3,`
			`"baseSeverity": "HIGH",`
Auto-Update: 2024-09-12T22:00:18.547566+00:00 2024-09-12 22:03:16 +00:00			`"attackVector": "NETWORK",`
			`"attackComplexity": "LOW",`
			`"privilegesRequired": "NONE",`
			`"userInteraction": "NONE",`
			`"scope": "UNCHANGED",`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`"confidentialityImpact": "LOW",`
			`"integrityImpact": "LOW",`
			`"availabilityImpact": "LOW"`
Auto-Update: 2024-09-12T22:00:18.547566+00:00 2024-09-12 22:03:16 +00:00			`},`
			`"exploitabilityScore": 3.9,`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`"impactScore": 3.4`
Auto-Update: 2024-09-12T22:00:18.547566+00:00 2024-09-12 22:03:16 +00:00			`},`
Auto-Update: 2024-09-03T22:00:17.605221+00:00 2024-09-03 22:03:15 +00:00			`{`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`"source": "nvd@nist.gov",`
			`"type": "Primary",`
Auto-Update: 2024-09-03T22:00:17.605221+00:00 2024-09-03 22:03:15 +00:00			`"cvssData": {`
			`"version": "3.1",`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",`
			`"baseScore": 9.8,`
			`"baseSeverity": "CRITICAL",`
Auto-Update: 2024-09-03T22:00:17.605221+00:00 2024-09-03 22:03:15 +00:00			`"attackVector": "NETWORK",`
			`"attackComplexity": "LOW",`
			`"privilegesRequired": "NONE",`
			`"userInteraction": "NONE",`
			`"scope": "UNCHANGED",`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`"confidentialityImpact": "HIGH",`
			`"integrityImpact": "HIGH",`
			`"availabilityImpact": "HIGH"`
Auto-Update: 2024-09-03T22:00:17.605221+00:00 2024-09-03 22:03:15 +00:00			`},`
			`"exploitabilityScore": 3.9,`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`"impactScore": 5.9`
Auto-Update: 2024-09-03T22:00:17.605221+00:00 2024-09-03 22:03:15 +00:00			`}`
			`]`
			`},`
			`"weaknesses": [`
Auto-Update: 2024-09-12T22:00:18.547566+00:00 2024-09-12 22:03:16 +00:00			`{`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`"source": "security-advisories@github.com",`
			`"type": "Secondary",`
Auto-Update: 2024-09-12T22:00:18.547566+00:00 2024-09-12 22:03:16 +00:00			`"description": [`
			`{`
			`"lang": "en",`
			`"value": "CWE-94"`
			`}`
			`]`
			`},`
Auto-Update: 2024-09-03T22:00:17.605221+00:00 2024-09-03 22:03:15 +00:00			`{`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`"source": "nvd@nist.gov",`
			`"type": "Primary",`
Auto-Update: 2024-09-03T22:00:17.605221+00:00 2024-09-03 22:03:15 +00:00			`"description": [`
			`{`
			`"lang": "en",`
			`"value": "CWE-94"`
			`}`
			`]`
			`}`
			`],`
Auto-Update: 2024-09-12T22:00:18.547566+00:00 2024-09-12 22:03:16 +00:00			`"configurations": [`
			`{`
			`"nodes": [`
			`{`
			`"operator": "OR",`
			`"negate": false,`
			`"cpeMatch": [`
			`{`
			`"vulnerable": true,`
			`"criteria": "cpe:2.3:a:blakeembrey:template::::::node.js::*",`
			`"versionEndExcluding": "1.2.0",`
			`"matchCriteriaId": "2DEB203C-CE34-41AC-A98C-38B707AC7E8D"`
			`}`
			`]`
			`}`
			`]`
			`}`
			`],`
Auto-Update: 2024-09-03T22:00:17.605221+00:00 2024-09-03 22:03:15 +00:00			`"references": [`
			`{`
			`"url": "https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa",`
Auto-Update: 2024-09-12T22:00:18.547566+00:00 2024-09-12 22:03:16 +00:00			`"source": "security-advisories@github.com",`
			`"tags": [`
			`"Patch"`
			`]`
Auto-Update: 2024-09-03T22:00:17.605221+00:00 2024-09-03 22:03:15 +00:00			`},`
			`{`
			`"url": "https://github.com/blakeembrey/js-template/security/advisories/GHSA-q765-wm9j-66qj",`
Auto-Update: 2024-09-12T22:00:18.547566+00:00 2024-09-12 22:03:16 +00:00			`"source": "security-advisories@github.com",`
			`"tags": [`
			`"Vendor Advisory"`
			`]`
Auto-Update: 2024-09-03T22:00:17.605221+00:00 2024-09-03 22:03:15 +00:00			`}`
			`]`
			`}`