{"containers": {"cna": {"affected": [{"product": "handlebars", "vendor": "n/a", "versions": [{"lessThan": "4.7.7", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Francois Lajeunesse-Robert"}], "datePublic": "2021-04-12T00:00:00", "descriptions": [{"lang": "en", "value": "The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "LOW", "privilegesRequired": "NONE", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 5.1, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Remote Code Execution (RCE)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-06-04T09:06:15", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210604-0008/"}], "title": "Remote Code Execution (RCE)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2021-04-12T13:09:13.776933Z", "ID": "CVE-2021-23369", "STATE": "PUBLIC", "TITLE": "Remote Code Execution (RCE)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "handlebars", "version": {"version_data": [{"version_affected": "<", "version_value": "4.7.7"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Francois Lajeunesse-Robert"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Remote Code Execution (RCE)"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952"}, {"name": "https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8", "refsource": "MISC", "url": "https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8"}, {"name": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427", "refsource": "MISC", "url": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427"}, {"name": "https://security.netapp.com/advisory/ntap-20210604-0008/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210604-0008/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:05:55.827Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210604-0008/"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2021-23369", "datePublished": "2021-04-12T13:10:28.403732Z", "dateReserved": "2021-01-08T00:00:00", "dateUpdated": "2024-09-16T22:46:07.677Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:handlebarsjs:handlebars:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D57084A5-784A-4392-AF0D-6EB14CF4B573", "versionEndExcluding": "4.7.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source."}, {"lang": "es", "value": "El paquete handlebars versiones anteriores a 4.7.7, son vulnerables a una Ejecuci\u00f3n de C\u00f3digo Remota (RCE) al seleccionar determinadas opciones de compilaci\u00f3n para compilar plantillas que provienen de una fuente no confiable"}], "id": "CVE-2021-23369", "lastModified": "2021-06-08T13:54:19.493", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.4, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2021-04-12T14:15:14.383", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210604-0008/"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:4628", "cpe": "cpe:/a:redhat:logging:5.1::el8", "impact": "low", "package": "openshift-logging/kibana6-rhel8:v6.8.1-48", "product_name": "OpenShift Logging 5.1", "release_date": "2021-11-17T00:00:00Z"}, {"advisory": "RHSA-2021:4032", "cpe": "cpe:/a:redhat:logging:5.2::el8", "impact": "low", "package": "openshift-logging/kibana6-rhel8:v6.8.1-47", "product_name": "OpenShift Logging 5.2", "release_date": "2021-11-17T00:00:00Z"}, {"advisory": "RHSA-2021:3016", "cpe": "cpe:/a:redhat:acm:2.3::el8", "impact": "low", "package": "rhacm2/application-ui-rhel8:v2.3.0-120", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8", "release_date": "2021-08-06T00:00:00Z"}, {"advisory": "RHSA-2021:2500", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "impact": "low", "package": "openshift4/ose-logging-kibana6:v4.6.0-202106181629.p0.git.40f3e72", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2021-06-29T00:00:00Z"}, {"advisory": "RHSA-2023:1334", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package": "handlebars", "product_name": "RHPAM 7.13.1 async", "release_date": "2023-03-20T00:00:00Z"}], "bugzilla": {"description": "nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option", "id": "1948761", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948761"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-94", "details": ["The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.", "A flaw was found in nodejs-handlebars. A missing check when getting prototype properties in the template function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the strict:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "name": "CVE-2021-23369", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "nodejs-handlebars", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "impact": "low", "package_name": "rhacm2/console-header-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "impact": "low", "package_name": "rhacm2/console-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "impact": "low", "package_name": "rhacm2/grc-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "impact": "low", "package_name": "rhacm2/kui-web-terminal-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "impact": "low", "package_name": "rhacm2/mcm-topology-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "impact": "low", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "impact": "low", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "impact": "low", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "impact": "low", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "impact": "low", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "impact": "low", "package_name": "pcs", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Will not fix", "impact": "low", "package_name": "ovirt-engine-ui-extensions", "product_name": "Red Hat Virtualization 4"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Will not fix", "impact": "low", "package_name": "ovirt-web-ui", "product_name": "Red Hat Virtualization 4"}], "public_date": "2021-04-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-23369\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-23369"], "statement": "Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana package which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. \nThe openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code.\nIn OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) some components include the vulnerable handlebars library, but access is protected by OpenShift OAuth what reducing impact by this flaw to LOW.\nRed Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating.\nRed Hat Gluster Storage 3 bundles vulnerable Handlebars.js (with pcs), however it does not use \"strict\" option and templates from external sources, hence this issue has been rated as having a security impact of Low.\nIn Red Hat Virtualization ovirt-engine-ui-extensions and ovirt-web-ui Handlebars.js is included as a dependency of conventional-changelog-writer, it does not impact production code and as such has been given a low impact rating and set to wontfix. Handlebars.js may be updated to a newer version in future updates.", "threat_severity": "Moderate", "upstream_fix": "handlebars 4.7.7"}