CVE-2021-23369 — Code Injection in Handlebars

CWE-94 — Code Injection8 documents7 sources

Severity

9.8CRITICALNVD

CNA5.6

EPSS

1.8%

top 17.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Handlebarsjs Handlebars

Timeline

PublishedApr 12

Latest updateApr 15

Description

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5handlebarsjs/handlebarsunspecified — 4.7.7

▶NVDhandlebarsjs/handlebars< 4.7.7

▶npmhandlebarsjs/handlebars< 4.7.7

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Remote code execution in handlebars when compiling templates↗2021-05-06

▶

OSV

Remote code execution in handlebars when compiling templates↗2021-05-06

▶

OSV

CVE-2021-23369: The package handlebars before 4↗2021-04-12

▶

CVEList

Remote Code Execution (RCE)↗2021-04-12

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Samples (handlebars) — CVE-2021-23369↗2024-04-15

▶

Red Hat

nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option↗2021-04-12

▶

Debian

CVE-2021-23369: node-handlebars - The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE...↗2021

▶