GHSA-ph3v-2hq5-5qfq

Suggest an improvement
Source
https://github.com/advisories/GHSA-ph3v-2hq5-5qfq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-ph3v-2hq5-5qfq/GHSA-ph3v-2hq5-5qfq.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-ph3v-2hq5-5qfq
Aliases
Published
2022-03-07T00:00:41Z
Modified
2024-12-05T05:37:55.651118Z
Summary
Code injection in RazorEngine
Details

In the IsolatedRazorEngine component of Antaris RazorEngine through 4.5.1-alpha001, an attacker can execute arbitrary .NET code in a sandboxed environment (if users can externally control template contents). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Database specific
{
    "nvd_published_at": "2022-03-06T06:15:00Z",
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-11T20:30:20Z"
}
References

Affected packages

NuGet / RazorEngine

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
4.5.1-alpha001

Affected versions

2.*

2.1.0

3.*

3.0.0
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.1.0
3.2.0
3.3.0
3.4.0
3.4.1
3.4.2
3.5.0-beta1
3.5.0-beta2
3.5.0-beta3
3.5.0
3.5.1
3.5.2
3.5.3
3.6.0
3.6.1
3.6.2
3.6.3-beta1
3.6.3-beta2
3.6.3
3.6.4
3.6.5-beta1
3.6.5
3.6.6-beta1
3.6.6-beta2
3.6.6
3.7.0-beta1
3.7.0
3.7.1-alpha1
3.7.2
3.7.3
3.7.4
3.7.5-beta1
3.7.5-beta2
3.7.5
3.7.6
3.7.7
3.8.0
3.8.1
3.8.2
3.9.0
3.9.1
3.9.2
3.9.3
3.10.0
3.10.1-alpha001

4.*

4.0.0-beta1
4.0.0-beta2
4.0.1-beta1
4.0.2-beta1
4.0.3-beta1
4.1.0-beta1
4.1.1-beta1
4.1.2-beta1
4.1.3-beta2
4.1.4-beta1
4.1.5-beta1
4.1.6-beta1
4.2.0-beta1
4.2.0-beta2
4.2.0-beta3
4.2.1-beta1
4.2.2-beta1
4.2.3-beta1
4.2.4-beta1
4.2.5-beta1
4.2.6-beta1
4.2.7-beta1
4.3.0-beta1
4.3.1-beta1
4.3.2-beta1
4.4.0-rc1
4.4.1-rc1
4.4.2-rc1
4.4.3-rc1
4.5.0-rc1
4.5.1-alpha001