Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWYyanYtcjlyZi03OTg4
Remote code execution in handlebars when compiling templates
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Permalink: https://github.com/advisories/GHSA-f2jv-r9rf-7988JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWYyanYtcjlyZi03OTg4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.132
EPSS Percentile: 0.95741
Identifiers: GHSA-f2jv-r9rf-7988, CVE-2021-23369
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23369
- https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
- https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
- https://security.netapp.com/advisory/ntap-20210604-0008/
- https://github.com/advisories/GHSA-f2jv-r9rf-7988
Blast Radius: 79.2
Affected Packages
maven:org.webjars.bowergithub.wycats:handlebars.js
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 4.7.7
Fixed in: 4.7.7
All affected versions: 4.1.1, 4.2.0, 4.4.5, 4.5.3, 4.7.2
All unaffected versions:
maven:org.webjars.npm:handlebars
Dependent packages: 35Dependent repositories: 5
Downloads:
Affected Version Ranges: < 4.7.7
Fixed in: 4.7.7
All affected versions: 1.3.0, 2.0.0, 3.0.0, 3.0.1, 3.0.3, 4.0.2, 4.0.5, 4.0.6, 4.0.11, 4.0.12, 4.0.14, 4.1.1, 4.1.2, 4.2.1, 4.3.1, 4.4.0, 4.4.5, 4.5.3, 4.7.2, 4.7.3, 4.7.6
All unaffected versions: 4.7.7, 4.7.8
maven:org.webjars:handlebars
Dependent packages: 18Dependent repositories: 96
Downloads:
Affected Version Ranges: < 4.7.7
Fixed in: 4.7.7
All affected versions: 1.0.0, 1.1.2, 1.2.1, 1.3.0, 2.0.0, 3.0.0, 3.0.3, 4.0.2, 4.0.5, 4.0.6, 4.0.11, 4.0.13, 4.0.14, 4.7.6
All unaffected versions: 4.7.7
npm:handlebars
Dependent packages: 15,556Dependent repositories: 1,258,975
Downloads: 76,731,489 last month
Affected Version Ranges: < 4.7.7
Fixed in: 4.7.7
All affected versions: 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 2.0.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6
All unaffected versions: 4.7.7, 4.7.8