CVE-2021-23369 (High) detected in handlebars-4.1.0.tgz, handlebars-1.3.0.tgz #157

mend-for-github-com · 2021-04-16T01:02:53Z

CVE-2021-23369 - High Severity Vulnerability

Vulnerable Libraries - handlebars-4.1.0.tgz, handlebars-1.3.0.tgz

handlebars-4.1.0.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.0.tgz

Path to dependency file: jazz/core/jazz_t-vault/package.json

Path to vulnerable library: jazz/core/jazz_t-vault/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_environments/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_email/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_codeq/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_services-handler/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_is-slack-channel-available/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_slack-event-handler/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_apigee-proxy-aws/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_cognito-authorizer/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_logs/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_deployments-event-handler/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_usermanagement/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_splunk-kinesis-log-streamer/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_es-kinesis-log-streamer/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_environment-event-handler/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_cognito-admin-authorizer/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_create-serverless-service/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_cloud-logs-streamer/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_metrics/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_delete-serverless-service/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_services/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_assets/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_events/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_login/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_admin/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_scm-webhook/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_slack-channel/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_deployments/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_is-service-available/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_logout/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_acl/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_test-lambda/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_asset-event-handler/node_modules/nyc/node_modules/handlebars/package.json,jazz/core/jazz_events-handler/node_modules/nyc/node_modules/handlebars/package.json

Dependency Hierarchy:

nyc-13.3.0.tgz (Root Library)
- istanbul-reports-2.1.1.tgz
  - ❌ handlebars-4.1.0.tgz (Vulnerable Library)

handlebars-1.3.0.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz

Path to dependency file: jazz/core/jazz_ui/src/app/primary-components/daterange-picker/ng2-datepicker/package.json

Path to vulnerable library: jazz/core/jazz_ui/src/app/primary-components/daterange-picker/ng2-datepicker/node_modules/handlebars/package.json

Dependency Hierarchy:

cli-1.0.0-rc.0.tgz (Root Library)
- postcss-url-5.1.2.tgz
  - directory-encoder-0.7.2.tgz
    - ❌ handlebars-1.3.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-04-12

URL: CVE-2021-23369

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369

Release Date: 2021-04-12

Fix Resolution: handlebars - 4.7.7

mend-for-github-com bot added the security vulnerability Security vulnerability detected by WhiteSource label Apr 16, 2021

mend-for-github-com bot changed the title ~~CVE-2021-23369 (Medium) detected in handlebars-4.1.0.tgz, handlebars-1.3.0.tgz~~ CVE-2021-23369 (High) detected in handlebars-4.1.0.tgz, handlebars-1.3.0.tgz Apr 28, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2021-23369 (High) detected in handlebars-4.1.0.tgz, handlebars-1.3.0.tgz #157

CVE-2021-23369 (High) detected in handlebars-4.1.0.tgz, handlebars-1.3.0.tgz #157

mend-for-github-com bot commented Apr 16, 2021 •

edited

CVE-2021-23369 (High) detected in handlebars-4.1.0.tgz, handlebars-1.3.0.tgz #157

CVE-2021-23369 (High) detected in handlebars-4.1.0.tgz, handlebars-1.3.0.tgz #157

Comments

mend-for-github-com bot commented Apr 16, 2021 • edited

CVE-2021-23369 - High Severity Vulnerability

mend-for-github-com bot commented Apr 16, 2021 •

edited