GHSA-f2jv-r9rf-7988

Source

https://github.com/advisories/GHSA-f2jv-r9rf-7988

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-f2jv-r9rf-7988/GHSA-f2jv-r9rf-7988.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-f2jv-r9rf-7988

Aliases

CVE-2021-23369
SNYK-JAVA-ORGWEBJARS-1074950
SNYK-JAVA-ORGWEBJARSBOWER-1074951
SNYK-JAVA-ORGWEBJARSNPM-1074952
SNYK-JS-HANDLEBARS-1056767

Related

Published

2021-05-06T15:57:44Z

Modified

2024-08-01T07:13:02.944499Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Remote code execution in handlebars when compiling templates

Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Database specific

{
    "nvd_published_at": "2021-04-12T14:15:00Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-13T22:07:10Z"
}

References

Affected packages

npm / handlebars

Package

Name: handlebars; View open source insights on deps.dev
Purl: pkg:npm/handlebars

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.7.7

Ecosystem specific

{
    "affected_functions": [
        "(handlebars).template"
    ]
}

Maven / org.webjars:handlebars

Package

Name: org.webjars:handlebars; View open source insights on deps.dev
Purl: pkg:maven/org.webjars/handlebars

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.7.7

Affected versions

1.*

1.0.0-rc.3

1.0.0-rc.4

1.0.rc.1

1.0.0

1.1.2

1.2.1

1.3.0

2.*

2.0.0-alpha.2

2.0.0

2.0.0-1

3.*

3.0.0

3.0.0-1

3.0.3

4.*

4.0.2

4.0.5

4.0.6

4.0.11

4.0.11-1

4.0.13

4.0.14

4.7.6

Maven / org.webjars.npm:handlebars

Package

Name: org.webjars.npm:handlebars; View open source insights on deps.dev
Purl: pkg:maven/org.webjars.npm/handlebars

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.7.7

Affected versions

1.*

1.3.0

2.*

2.0.0

3.*

3.0.0

3.0.1

3.0.3

4.*

4.0.2

4.0.5

4.0.6

4.0.11

4.0.12

4.0.14

4.1.1

4.1.2

4.2.1

4.3.1

4.4.0

4.4.5

4.5.3

4.7.2

4.7.3

4.7.6

Maven / org.webjars.bowergithub.wycats:handlebars.js

Package

Name: org.webjars.bowergithub.wycats:handlebars.js; View open source insights on deps.dev
Purl: pkg:maven/org.webjars.bowergithub.wycats/handlebars.js

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.7.7

Affected versions

4.*

4.1.1

4.2.0

4.4.5

4.5.3

4.7.2