CVE-2019-19919
published 2019-12-20CVE-2019-19919: Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
7.07%
93.4th percentile
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Affected
47 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-handlebars | < node-handlebars 3:4.5.3-1 (bookworm) | node-handlebars 3:4.5.3-1 (bookworm) |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
| handlebars.js_project | handlebars.js | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect prototype pollution attempts via Handlebars templates that modify __proto__ or __defineGetter__ properties, which are the attack vectors for this RCE vulnerability. ↗
- →Flag use of handlebars npm package versions prior to 4.3.0 in dependency manifests (package.json, package-lock.json) as vulnerable to prototype pollution RCE. ↗
- →Inspect Kibana deployments on OpenShift Container Platform 3.11 and 4 for vulnerable nodejs-handlebars dependency, as these are confirmed affected packages. ↗
- ·Red Hat Quay includes Handlebars.js only as a development dependency and does not use it at runtime to process templates, reducing exploitability in that context. ↗
- ·For OpenShift Container Platform, no known attack vector was found for the prototype pollution issue in Kibana's bundled handlebars, resulting in a Low severity rating for OCP despite the code being present. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Prototype Pollution in handlebars
osv·2019-12-26
CVE-2019-19919 [CRITICAL] Prototype Pollution in handlebars
Prototype Pollution in handlebars
Versions of `handlebars` prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' `__proto__` and `__defineGetter__` properties, which may allow an attacker to execute arbitrary code through crafted payloads.
## Recommendation
Upgrade to version 3.0.8, 4.3.0 or later.
GHSA
Prototype Pollution in handlebars
ghsa·2019-12-26
CVE-2019-19919 [CRITICAL] CWE-1321 Prototype Pollution in handlebars
Prototype Pollution in handlebars
Versions of `handlebars` prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' `__proto__` and `__defineGetter__` properties, which may allow an attacker to execute arbitrary code through crafted payloads.
## Recommendation
Upgrade to version 3.0.8, 4.3.0 or later.
OSV
CVE-2019-19919: Versions of handlebars prior to 4
osv·2019-12-20·CVSS 9.8
CVE-2019-19919 [CRITICAL] CVE-2019-19919: Versions of handlebars prior to 4
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Red Hat
nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads
vendor_redhat·2019-09-24·CVSS 9.8
CVE-2019-19919 [CRITICAL] CWE-471 nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads
nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.
A flaw was found in nodejs-handlebars, where it is vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which allows an attacker to execute arbitrary code through crafted payloads. The highest threat from this vulnerability is to confidentiality and integrity.
Statement: Red Hat Quay includes Handlebars.js as a development dependency. It does not
Debian
CVE-2019-19919: node-handlebars - Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution lead...
vendor_debian·2019·CVSS 9.8
CVE-2019-19919 [CRITICAL] CVE-2019-19919: node-handlebars - Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution lead...
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Scope: local
bookworm: resolved (fixed in 3:4.5.3-1)
bullseye: resolved (fixed in 3:4.5.3-1)
forky: resolved (fixed in 3:4.5.3-1)
sid: resolved (fixed in 3:4.5.3-1)
trixie: resolved (fixed in 3:4.5.3-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-19919 nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads [fedora-all]
bugzilla·2020-01-10·CVSS 9.8
CVE-2019-19919 [CRITICAL] CVE-2019-19919 nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads [fedora-all]
CVE-2019-19919 nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: thi
Bugzilla
CVE-2019-19919 nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads
bugzilla·2020-01-10·CVSS 9.1
CVE-2019-19919 [CRITICAL] CVE-2019-19919 nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads
CVE-2019-19919 nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Reference:
https://www.npmjs.com/advisories/1164
Discussion:
Created nodejs-handlebars tracking bugs for this issue:
Affects: epel-6 [bug 1789961]
Affects: epel-7 [bug 1789962]
Affects: fedora-all [bug 1789960]
---
i really wonder about CVE bugs getting reported since a year for various packages related to me. First they got reported then priority set low then discovered not present in one by one distribution and the
Bugzilla
CVE-2019-19919 nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads [epel-7]
bugzilla·2020-01-10·CVSS 9.8
CVE-2019-19919 [CRITICAL] CVE-2019-19919 nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads [epel-7]
CVE-2019-19919 nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use
Bugzilla
CVE-2019-19919 nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads [epel-6]
bugzilla·2020-01-10·CVSS 9.8
CVE-2019-19919 [CRITICAL] CVE-2019-19919 nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads [epel-6]
CVE-2019-19919 nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use
2019-12-20
Published