Описание
Remote code execution in handlebars when compiling templates
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2021-23369
- https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
- https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
- https://security.netapp.com/advisory/ntap-20210604-0008
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
Пакеты
handlebars
< 4.7.7
4.7.7
org.webjars:handlebars
< 4.7.7
4.7.7
org.webjars.npm:handlebars
< 4.7.7
4.7.7
org.webjars.bowergithub.wycats:handlebars.js
< 4.7.7
4.7.7
Связанные уязвимости
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
The package handlebars before 4.7.7 are vulnerable to Remote Code Exec ...