Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWYyanYtcjlyZi03OTg4
Remote code execution in handlebars when compiling templates
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Permalink: https://github.com/advisories/GHSA-f2jv-r9rf-7988JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWYyanYtcjlyZi03OTg4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.0966
EPSS Percentile: 0.94781
Identifiers: GHSA-f2jv-r9rf-7988, CVE-2021-23369
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23369
- https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
- https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
- https://security.netapp.com/advisory/ntap-20210604-0008/
- https://github.com/advisories/GHSA-f2jv-r9rf-7988
Blast Radius: 79.2
Affected Packages
maven:org.webjars.bowergithub.wycats:handlebars.js
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 4.7.7
Fixed in: 4.7.7
All affected versions: 4.1.1, 4.2.0, 4.4.5, 4.5.3, 4.7.2
All unaffected versions:
maven:org.webjars.npm:handlebars
Dependent packages: 35Dependent repositories: 5
Downloads:
Affected Version Ranges: < 4.7.7
Fixed in: 4.7.7
All affected versions: 1.3.0, 2.0.0, 3.0.0, 3.0.1, 3.0.3, 4.0.2, 4.0.5, 4.0.6, 4.0.11, 4.0.12, 4.0.14, 4.1.1, 4.1.2, 4.2.1, 4.3.1, 4.4.0, 4.4.5, 4.5.3, 4.7.2, 4.7.3, 4.7.6
All unaffected versions: 4.7.7, 4.7.8
maven:org.webjars:handlebars
Dependent packages: 18Dependent repositories: 96
Downloads:
Affected Version Ranges: < 4.7.7
Fixed in: 4.7.7
All affected versions: 1.0.0, 1.1.2, 1.2.1, 1.3.0, 2.0.0, 3.0.0, 3.0.3, 4.0.2, 4.0.5, 4.0.6, 4.0.11, 4.0.13, 4.0.14, 4.7.6
All unaffected versions: 4.7.7
npm:handlebars
Dependent packages: 15,556Dependent repositories: 1,258,975
Downloads: 47,172,137 last month
Affected Version Ranges: < 4.7.7
Fixed in: 4.7.7
All affected versions: 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 2.0.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6
All unaffected versions: 4.7.7, 4.7.8