CVE-2021-32819 PoC — Squirrelly 信息泄露漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-32819.yaml

Associated Vulnerability

Title:Squirrelly 信息泄露漏洞 (CVE-2021-32819)
Description:npm Npm squirrelly是美国npm公司的一个应用软件。提供一个使用JavaScript实现的现代，可配置且功能强大的快速模板引擎。 Squirrelly 存在信息泄露漏洞，该漏洞源于通过Express渲染API将纯模板数据与引擎配置选项混合。通过覆盖内部配置选项，可以在下游应用程序中触发远程代码执行。

Description

Nodejs Squirrelly is susceptible to remote code execution. Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. There is currently no fix for these issues as of the publication of this CVE. The latest version of squirrelly is currently 8.0.8. For complete details refer to the referenced GHSL-2021-023.

File Snapshot


 id: CVE-2021-32819

info:
  name: Nodejs Squirrelly - Remote Code Execution
  author: pikpikcu
  sev

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!