Fix ejs@2.7.4 vulnerability - WS-2021-0153

[derBinder]

https://www.whitesourcesoftware.com/vulnerability-database/WS-2021-0153

Possible fix: Upgrade to version ejs - 3.1.6

[derBinder]

@bbyars ping

[bbyars]

This is tricky. EJS introduced syntactically breaking changes in version 3 . Do you see any option of solving the security concern without breaking everyone's existing config files?

[cod-wag]

This is an old issue with no resolution, and now there is another critical vulnerability in EJS versions < 3.1.6
https://www.mend.io/vulnerability-database/CVE-2022-29078

@bbyars If there is no plan to migrate to version 3 of EJS, then what about removing the mountebank-formatters dependency from mountebank repo?

[levpachmanov]

Hey @bbyars @derBinder,
We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an ejs 2.7.4-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.
If relevant, check out our GitHub repo if you wish to learn more, or start using our app.
Please feel free to reach us at info@seal.security if you have any requests/questions.

[oliver-dungey]

I like @levpachmanov idea to mitigate the CVE with the current ejs version. @bbyars have you thought about creating a new ejs V3 formatter that could sit alongside the existing one that could be adopted by newcomers and letting people migrate over time?

[biddster]

Looks like @tangzhen has sorted this for us. Thank you.

#2

@bbyars guess we just need a major semver and we're good to go?

[oliver-dungey]

We have a fix and things seem to have gone quiet for a while, @bbyars sorry to nag - is there anything we can do to move this forward?