Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWYyanYtcjlyZi03OTg4

Remote code execution in handlebars when compiling templates

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Permalink: https://github.com/advisories/GHSA-f2jv-r9rf-7988
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWYyanYtcjlyZi03OTg4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: about 1 year ago


CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.132
EPSS Percentile: 0.95741

Identifiers: GHSA-f2jv-r9rf-7988, CVE-2021-23369
References: Repository: https://github.com/handlebars-lang/handlebars.js
Blast Radius: 79.2

Affected Packages

maven:org.webjars.bowergithub.wycats:handlebars.js
Dependent packages: 0
Dependent repositories: 0
Downloads:
Affected Version Ranges: < 4.7.7
Fixed in: 4.7.7
All affected versions: 4.1.1, 4.2.0, 4.4.5, 4.5.3, 4.7.2
All unaffected versions:
maven:org.webjars.npm:handlebars
Dependent packages: 35
Dependent repositories: 5
Downloads:
Affected Version Ranges: < 4.7.7
Fixed in: 4.7.7
All affected versions: 1.3.0, 2.0.0, 3.0.0, 3.0.1, 3.0.3, 4.0.2, 4.0.5, 4.0.6, 4.0.11, 4.0.12, 4.0.14, 4.1.1, 4.1.2, 4.2.1, 4.3.1, 4.4.0, 4.4.5, 4.5.3, 4.7.2, 4.7.3, 4.7.6
All unaffected versions: 4.7.7, 4.7.8
maven:org.webjars:handlebars
Dependent packages: 18
Dependent repositories: 96
Downloads:
Affected Version Ranges: < 4.7.7
Fixed in: 4.7.7
All affected versions: 1.0.0, 1.1.2, 1.2.1, 1.3.0, 2.0.0, 3.0.0, 3.0.3, 4.0.2, 4.0.5, 4.0.6, 4.0.11, 4.0.13, 4.0.14, 4.7.6
All unaffected versions: 4.7.7
npm:handlebars
Dependent packages: 15,556
Dependent repositories: 1,258,975
Downloads: 76,731,489 last month
Affected Version Ranges: < 4.7.7
Fixed in: 4.7.7
All affected versions: 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 2.0.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6
All unaffected versions: 4.7.7, 4.7.8