CVE-2019-19919Prototype Pollution in Handlebars

CWE-1321Prototype PollutionCWE-471Modification of Assumed-Immutable DataCWE-74Injection11 documents7 sources
Severity
9.8CRITICALNVD
EPSS
17.8%
top 4.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Tenable Tenable.scHandlebarsjs HandlebarsHandlebars.js Project Handlebars.js
Timeline
PublishedDec 20
Latest updateJan 10

Description

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

npmhandlebarsjs/handlebars4.0.04.3.0+1
NVDtenable/tenable.sc< 5.19.0

Patches

Patch: www.tenable.comPatch: www.tenable.com

🔴Vulnerability Details

4
OSV
Prototype Pollution in handlebars2019-12-26
GHSA
Prototype Pollution in handlebars2019-12-26
OSV
CVE-2019-19919: Versions of handlebars prior to 42019-12-20
CVEList
CVE-2019-19919: Versions of handlebars prior to 42019-12-20

📋Vendor Advisories

2
Red Hat
nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads2019-09-24
Debian
CVE-2019-19919: node-handlebars - Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution lead...2019

💬Community

4
Bugzilla
CVE-2019-19919 nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads [fedora-all]2020-01-10
Bugzilla
CVE-2019-19919 nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads2020-01-10
Bugzilla
CVE-2019-19919 nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads [epel-7]2020-01-10
Bugzilla
CVE-2019-19919 nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads [epel-6]2020-01-10
CVE-2019-19919 — Prototype Pollution in Handlebars | cvebase