Moole Vulnerability Database

Find real vulnerabilities before they ship

Critical

CVE-2021-23369

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

VectorNETWORK

PublishedApr 12, 2021, 14:15

Published Byreport@snyk.io

Base Score

Score9.8

Affected Versions

Package (Ecosystem)IntroducedFixedLimit

handlebars(npm)04.7.7N/A

org.webjars:handlebars(Maven)04.7.7N/A

org.webjars.npm:handlebars(Maven)04.7.7N/A

org.webjars.bowergithub.wycats:handlebars.js(Maven)04.7.7N/A

References

https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
https://security.netapp.com/advisory/ntap-20210604-0008/
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952
https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767

Weakness Type

NVD-CWE-noinfo

CVSS Metrics

Base Score

9.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base SeverityCritical

Version

3.1

Attack Vector (AV)

NETWORK