Fix CVE–2019–19919

[debricked-staging]

CVE–2019–19919

Vulnerable dependency:     handlebars (Yarn)    4.0.11

Vulnerable dependency:     handlebars (npm)    4.0.11

Vulnerability details

Description

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

GitHub

Prototype Pollution in handlebars

Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Recommendation

Upgrade to version 3.0.8, 4.3.0 or later.

NVD

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

CVSS details - 9.8

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

References

    Prototype Pollution in handlebars · CVE-2019-19919 · GitHub Advisory Database · GitHub
    NVD - CVE-2019-19919
    Prototype Pollution in handlebars · CVE-2019-19919 · GitHub Advisory Database · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE