CRITICAL 9.8 npm
Prototype Pollution in handlebars
GHSA-w457-6q6x-cgp9 · CVE-2019-19919
Published · Modified
Description
Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Recommendation
Upgrade to version 3.0.8, 4.3.0 or later.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-19919
- WEB https://github.com/wycats/handlebars.js/issues/1558
- WEB https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
- WEB https://github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db
- WEB https://github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc
- WEB https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919
- WEB https://github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.js
- WEB https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5
- WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml
- PACKAGE https://github.com/wycats/handlebars.js
- WEB https://www.tenable.com/security/tns-2021-14
Ready to move
Start Securing
Free, no credit card | First findings in minutes