GHSA-f2jv-r9rf-7988

Source

https://github.com/advisories/GHSA-f2jv-r9rf-7988

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-f2jv-r9rf-7988/GHSA-f2jv-r9rf-7988.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-f2jv-r9rf-7988

Aliases

CVE-2021-23369

Related

Published

2021-05-06T15:57:44Z

Modified

2025-02-13T05:31:27.487158Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Remote code execution in handlebars when compiling templates

Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Database specific

{
    "nvd_published_at": "2021-04-12T14:15:00Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-94"
    ],
    "github_reviewed_at": "2021-04-13T22:07:10Z"
}

References

Affected packages

Maven

org.webjars:handlebars

Package

Name: org.webjars:handlebars; View open source insights on deps.dev
Purl: pkg:maven/org.webjars/handlebars

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.7.7

Affected versions

1.*

1.0.0-rc.3

1.0.0-rc.4

1.0.rc.1

1.0.0

1.1.2

1.2.1

1.3.0

2.*

2.0.0-alpha.2

2.0.0

2.0.0-1

3.*

3.0.0

3.0.0-1

3.0.3

4.*

4.0.2

4.0.5

4.0.6

4.0.11

4.0.11-1

4.0.13

4.0.14

4.7.6

org.webjars.npm:handlebars

Package

Name: org.webjars.npm:handlebars; View open source insights on deps.dev
Purl: pkg:maven/org.webjars.npm/handlebars

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.7.7

Affected versions

1.*

1.3.0

2.*

2.0.0

3.*

3.0.0

3.0.1

3.0.3

4.*

4.0.2

4.0.5

4.0.6

4.0.11

4.0.12

4.0.14

4.1.1

4.1.2

4.2.1

4.3.1

4.4.0

4.4.5

4.5.3

4.7.2

4.7.3

4.7.6

org.webjars.bowergithub.wycats:handlebars.js

Package

Name: org.webjars.bowergithub.wycats:handlebars.js; View open source insights on deps.dev
Purl: pkg:maven/org.webjars.bowergithub.wycats/handlebars.js

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.7.7

Affected versions

4.*

4.1.1

4.2.0

4.4.5

4.5.3

4.7.2

npm

handlebars

Package

Name: handlebars; View open source insights on deps.dev
Purl: pkg:npm/handlebars

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.7.7