Fix CVE–2021–23369

[debricked-staging]

CVE–2021–23369

Vulnerability details

Description

GitHub

Remote code execution in handlebars when compiling templates

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

NVD

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

GitLab Advisory Database (Open Source Edition)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The package handlebars before 4.7.7 is vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

CVSS details - 9.8

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

References

    CVE-2021-23369 Node.js Vulnerability in NetApp Products | NetApp Product Security
    npm/handlebars/CVE-2021-23369.yml · main · GitLab.org / GitLab Advisory Database Open Source Edition · GitLab
    NVD - CVE-2021-23369
    Remote code execution in handlebars when compiling templates · CVE-2021-23369 · GitHub Advisory Database · GitHub
    fix: check prototype property access in strict-mode (#1736) · handlebars-lang/handlebars.js@b6d3de7 · GitHub
    fix: escape property names in compat mode (#1736) · handlebars-lang/handlebars.js@f058970 · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE