CVE-2017-1000228

NameCVE-2017-1000228
Descriptionnodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-ejs (PTS)buster2.5.7-1+deb10u1fixed
bullseye2.5.7-3+deb11u1fixed
bookworm3.1.8+~3.1.1-2fixed
sid, trixie3.1.9+~3.1.5-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-ejssourcestretch(unfixed)end-of-life
node-ejssource(unstable)2.5.7-1

Notes

[stretch] - node-ejs <end-of-life> (Node not covered by security support)
https://security.snyk.io/vuln/npm:ejs:20161128
https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6 (v2.5.3)

Search for package or bug name: Reporting problems