GHSA-f2jv-r9rf-7988

Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-f2jv-r9rf-7988/GHSA-f2jv-r9rf-7988.json

Aliases

CVE-2021-23369

Published

2021-05-06T15:57:44Z

Modified

2023-04-11T01:43:47.894945Z

Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

References

Affected packages

npm / handlebars

Source Details

Package Name: handlebars

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

4.7.7

Ecosystem specific

{
    "affected_functions": [
        "handlebars.template"
    ]
}

Maven / org.webjars:handlebars

Source Details

Package Name: org.webjars:handlebars

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

4.7.7

Affected versions

1.*

1.0.0-rc.3

1.0.0-rc.4

1.0.rc.1

1.0.0

1.1.2

1.2.1

1.3.0

2.*

2.0.0-alpha.2

2.0.0

2.0.0-1

3.*

3.0.0

3.0.0-1

3.0.3

4.*

4.0.2

4.0.5

4.0.6

4.0.11

4.0.11-1

4.0.13

4.0.14

4.7.6

Maven / org.webjars.npm:handlebars

Source Details

Package Name: org.webjars.npm:handlebars

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

4.7.7

Affected versions

1.*

1.3.0

2.*

2.0.0

3.*

3.0.0

3.0.1

3.0.3

4.*

4.0.2

4.0.5

4.0.6

4.0.11

4.0.12

4.0.14

4.1.1

4.1.2

4.2.1

4.3.1

4.4.0

4.4.5

4.5.3

4.7.2

4.7.3

4.7.6

Maven / org.webjars.bowergithub.wycats:handlebars.js

Source Details

Package Name: org.webjars.bowergithub.wycats:handlebars.js

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

4.7.7

Affected versions

4.*

4.1.1

4.2.0

4.4.5

4.5.3

4.7.2