CVE-2021-32820

File disclosure in Express Handlebars

Severity Score

8.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Express-handlebars is a Handlebars view engine for Express. Express-handlebars mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extentions (i.e. file.extension) can be included, files that lack an extension will have .handlebars appended to them. For complete details refer to the referenced GHSL-2021-018 report. Notes in documentation have been added to help users avoid this potential information exposure vulnerability.

Express-handlebars es un motor de visualización handlebars para Express. Express-handlebars mezcla datos de plantilla puros con opciones de configuración del motor mediante la API de renderizado Express. Más específicamente, el parámetro layout puede desencadenar vulnerabilidades de divulgación de archivos en aplicaciones posteriores. Esta vulnerabilidad potencial está algo restringida en el sentido de que solo pueden ser incluidos archivos con extensiones existentes (es decir, file.extension), los archivos que carecen de extensión tendrán .handlebars adjuntos. Para obtener detalles completos, consulte el reporte GHSL-2021-018 al que se hace referencia. Se han agregado notas en una documentación para ayudar a usuarios a evitar esta potencial vulnerabilidad de exposición de información

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-05-12 CVE Reserved
2021-05-14 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-09-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (5)

URL	Tag	Source
https://github.com/express-handlebars/express-handlebars/blob/78c47a235c4ad7bc2674bddd8ec2721567ed8c72/README.md#danger-	Third Party Advisory
https://www.npmjs.com/package/express-handlebars	Third Party Advisory

URL	Date	SRC
https://github.com/express-handlebars/express-handlebars/pull/163	2024-08-03
https://securitylab.github.com/advisories/GHSL-2021-018-express-handlebars	2024-08-03

URL	Date	SRC
https://github.com/express-handlebars/express-handlebars/commit/78c47a235c4ad7bc2674bddd8ec2721567ed8c72	2022-07-02

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Express Handlebars Project Search vendor "Express Handlebars Project"		Express Handlebars Search vendor "Express Handlebars Project" for product "Express Handlebars"				<= 5.3.2 Search vendor "Express Handlebars Project" for product "Express Handlebars" and version " <= 5.3.2"		node.js		Affected