ghsa-w457-6q6x-cgp9
Vulnerability from github
Published
2019-12-26 17:58
Modified
2022-06-06 17:16
Severity ?
Summary
Prototype Pollution in handlebars
Details
Versions of handlebars
prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__
and __defineGetter__
properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Recommendation
Upgrade to version 3.0.8, 4.3.0 or later.
{ "affected": [ { "ecosystem_specific": { "affected_functions": [ "(handlebars).compile" ] }, "package": { "ecosystem": "npm", "name": "handlebars" }, "ranges": [ { "events": [ { "introduced": "4.0.0" }, { "fixed": "4.3.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "RubyGems", "name": "bootstrap-wysihtml5-rails" }, "ranges": [ { "events": [ { "introduced": "0.3.3.5" }, { "last_affected": "0.3.3.8" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "affected_functions": [ "(handlebars).compile" ] }, "package": { "ecosystem": "npm", "name": "handlebars" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.0.8" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2019-19919" ], "database_specific": { "cwe_ids": [ "CWE-1321", "CWE-74" ], "github_reviewed": true, "github_reviewed_at": "2019-12-26T17:55:40Z", "nvd_published_at": "2019-12-20T23:15:00Z", "severity": "CRITICAL" }, "details": "Versions of `handlebars` prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects\u0027 `__proto__` and `__defineGetter__` properties, which may allow an attacker to execute arbitrary code through crafted payloads.\n\n\n## Recommendation\n\nUpgrade to version 3.0.8, 4.3.0 or later.", "id": "GHSA-w457-6q6x-cgp9", "modified": "2022-06-06T17:16:15Z", "published": "2019-12-26T17:58:13Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19919" }, { "type": "WEB", "url": "https://github.com/wycats/handlebars.js/issues/1558" }, { "type": "WEB", "url": "https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee" }, { "type": "WEB", "url": "https://github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db" }, { "type": "WEB", "url": "https://github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc" }, { "type": "WEB", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919" }, { "type": "WEB", "url": "https://github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.js" }, { "type": "WEB", "url": "https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml" }, { "type": "PACKAGE", "url": "https://github.com/wycats/handlebars.js" }, { "type": "WEB", "url": "https://www.tenable.com/security/tns-2021-14" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "Prototype Pollution in handlebars" }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.