Fix CVE–2019–20920

[debricked]

CVE–2019–20920

Vulnerable dependency:     handlebars (npm)    4.0.11

Vulnerability details

Description

Improper Control of Generation of Code ('Code Injection')

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

NVD

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

GitHub

Arbitrary Code Execution in Handlebars

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

CVSS details - 8.1

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	High
Privileges Required	None
User interaction	None
Scope	Changed
Confidentiality	High
Integrity	Low
Availability	Low

References

    NVD - CVE-2019-20920
    Arbitrary Code Execution in Handlebars · CVE-2019-20920 · GitHub Advisory Database · GitHub
    Arbitrary Code Execution in handlebars · GHSA-2cf5-4w76-r9qv · GitHub Advisory Database · GitHub
    Arbitrary Code Execution in handlebars · GHSA-q2c6-c6pm-g3gh · GitHub Advisory Database · GitHub
    fix: use String(field) in lookup when checking for "constructor" · handlebars-lang/handlebars.js@d541378 · GitHub
    handlebars - npm

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE