CVE-2021-41170: Incorrect Permission Assignment for Critical Resource

November 8, 2021 (updated November 17, 2021)

neoan3-apps/template allows for passing in closures directly into the template engine. As a result, values that are callable are executed by the template engine. The issue arises if a value has the same name as a method or function in scope and can therefore be executed either by mistake or maliciously. In theory all users of the package are affected as long as they either deal with direct user input or database values.

References

github.com/sroehrl/neoan3-template/commit/4a2c9570f071d3c8f4ac790007599cba20e16934
github.com/sroehrl/neoan3-template/issues/8
github.com/sroehrl/neoan3-template/security/advisories/GHSA-3v56-q6r6-4gcw
nvd.nist.gov/vuln/detail/CVE-2021-41170

Code Behaviors & Features

Detect and mitigate CVE-2021-41170 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →