Security Bulletin: IBM Cloud Pak for Data is vulnerable to Prototype Pollution due to ejs package ( CVE-2024-33883)

Summary Potential vulnerabilities in ejs package has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2024-33883 DESCRIPTION: The ejs aka Embedded JavaScript templates package before 3.1.10 for Node.js lacks certain pollution protection. CWE:CWE-693:...

CVE-2024-33883

The ejs aka Embedded JavaScript templates package before 3.1.10 for Node.js lacks certain pollution protection...

Linux Distros Unpatched Vulnerability : CVE-2024-33883

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The ejs aka Embedded JavaScript templates package before 3.1.10 for Node.js lacks certain pollution protection. CVE-2024-33883 Note that Nessus relies on the...

CVE-2024-33883

The ejs aka Embedded JavaScript templates package before 3.1.10 for Node.js lacks certain pollution protection...

CVE-2024-33883

The ejs aka Embedded JavaScript templates package before 3.1.10 for Node.js lacks certain pollution protection...

PT-2024-4417 · Ejs +3 · Ejs +3

Name of the Vulnerable Software and Affected Versions: ejs versions prior to 3.1.10 Description: The issue is related to the lack of certain pollution protection in the ejs package, which can be exploited to execute arbitrary code by injecting specially crafted JavaScript code. This can be done b...

CVE-2024-33883

CVE-2024-33883 : The Node.js module ejs (Embedded JavaScript templates) , up to version before 3.1.10, lacks certain pollution protection, enabling local attackers to potentially cause a denial of service. The connected IBM/Astra Linux references confirm the same description. Reported impact: den...

IBM Cognos Analytics Multiple Vulnerabilities (6616285)

The version of IBM Cognos Analytics installed on the remote host is affected by multiple vulnerabilities, including the following: - The ejs aka Embedded JavaScript templates package 3.1.6 for Node.js allows server-side template injection in settingsview optionsoutputFunctionName. This is parsed ...

Design/Logic Flaw

The ejs aka Embedded JavaScript templates package 3.1.6 for Node.js allows server-side template injection in settingsview optionsoutputFunctionName. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command which is executed upon template...

CVE-2022-29078

The ejs aka Embedded JavaScript templates package 3.1.6 for Node.js allows server-side template injection in settingsview optionsoutputFunctionName. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command which is executed upon template...

CVE-2022-29078

The ejs aka Embedded JavaScript templates package 3.1.6 for Node.js allows server-side template injection in settingsview optionsoutputFunctionName. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command which is executed upon template...

Denial of Service (DoS)

Overview ejs is a popular JavaScript templating engine. Affected versions of the package are vulnerable to Denial of Service by letting the attacker under certain conditions control and override the localNames option causing it to crash. You can read more about this vulnerability on the Snyk blog...