Okta-signin-widget and CVE-2023-29827

The okta-signin-widget includes the ejs template library, which is triggering a CVE hit in our vulnerability scanner.

CVE-2023-29827 - NVD - CVE-2023-29827.

Can Okta confirm that the widget does not use the ejs render() method in an unsafe manner?


Okta Engineering looked into this and while there is reference to ejs in the package.json, there is no code making use of it.
This could be left over from older Widget versions and will be removed from package.json in the future.

For 6.x, 7.x versions of the Widget there is no risk presented by this vuln.

Thank you,

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.