GHSA-f2jv-r9rf-7988

Suggest an improvement
Source
https://github.com/advisories/GHSA-f2jv-r9rf-7988
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-f2jv-r9rf-7988/GHSA-f2jv-r9rf-7988.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-f2jv-r9rf-7988
Aliases
  • CVE-2021-23369
  • SNYK-JAVA-ORGWEBJARS-1074950
  • SNYK-JAVA-ORGWEBJARSBOWER-1074951
  • SNYK-JAVA-ORGWEBJARSNPM-1074952
  • SNYK-JS-HANDLEBARS-1056767
Published
2021-05-06T15:57:44Z
Modified
2024-02-17T05:34:32.946827Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Remote code execution in handlebars when compiling templates
Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Database specific
{
    "nvd_published_at": "2021-04-12T14:15:00Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-13T22:07:10Z"
}
References

Affected packages

npm / handlebars

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.7.7

Ecosystem specific

{
    "affected_functions": [
        "(handlebars).template"
    ]
}

Maven / org.webjars:handlebars

Package

Name
org.webjars:handlebars
View open source insights on deps.dev
Purl
pkg:maven/org.webjars/handlebars

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.7.7

Affected versions

1.*

1.0.0-rc.3
1.0.0-rc.4
1.0.rc.1
1.0.0
1.1.2
1.2.1
1.3.0

2.*

2.0.0-alpha.2
2.0.0
2.0.0-1

3.*

3.0.0
3.0.0-1
3.0.3

4.*

4.0.2
4.0.5
4.0.6
4.0.11
4.0.11-1
4.0.13
4.0.14
4.7.6

Maven / org.webjars.npm:handlebars

Package

Name
org.webjars.npm:handlebars
View open source insights on deps.dev
Purl
pkg:maven/org.webjars.npm/handlebars

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.7.7

Affected versions

1.*

1.3.0

2.*

2.0.0

3.*

3.0.0
3.0.1
3.0.3

4.*

4.0.2
4.0.5
4.0.6
4.0.11
4.0.12
4.0.14
4.1.1
4.1.2
4.2.1
4.3.1
4.4.0
4.4.5
4.5.3
4.7.2
4.7.3
4.7.6

Maven / org.webjars.bowergithub.wycats:handlebars.js

Package

Name
org.webjars.bowergithub.wycats:handlebars.js
View open source insights on deps.dev
Purl
pkg:maven/org.webjars.bowergithub.wycats/handlebars.js

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.7.7

Affected versions

4.*

4.1.1
4.2.0
4.4.5
4.5.3
4.7.2