Executive Summary

Informations
Name CVE-2021-21353 First vendor Publication 2021-03-03
Vendor Cve Last vendor Modification 2025-05-27

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Overall CVSS Score 9
Base Score 9 Environmental Score 9
impact SubScore 6 Temporal Score 9
Exploitabality Sub Score 2.2
 
Attack Vector Network Attack Complexity High
Privileges Required None User Interaction None
Scope Changed Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21353

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-94 Failure to Control Generation of Code ('Code Injection')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 1

Sources (Detail)

https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0
https://github.com/pugjs/pug/issues/3312
https://github.com/pugjs/pug/pull/3314
https://github.com/pugjs/pug/releases/tag/pug%403.0.1
https://github.com/pugjs/pug/security/advisories/GHSA-p493-635q-r6gr
https://www.npmjs.com/package/pug
https://www.npmjs.com/package/pug-code-gen
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
Date Informations
2025-05-28 00:21:05
  • Multiple Updates
2025-05-27 01:38:58
  • Multiple Updates
2024-11-28 13:51:59
  • Multiple Updates
2021-05-04 14:07:40
  • Multiple Updates
2021-04-22 03:12:42
  • Multiple Updates
2021-03-26 12:38:01
  • First insertion