CVE-2019-19919

Опубликовано: 20 дек. 2019

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Средний

Описание

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Ссылки

https://www.npmjs.com/advisories/1164
Third Party Advisory
https://www.tenable.com/security/tns-2021-14
Patch
Third Party Advisory
https://www.npmjs.com/advisories/1164
Third Party Advisory
https://www.tenable.com/security/tns-2021-14
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:handlebars.js_project:handlebars.js:1.0.6:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:1.0.7:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:1.0.8:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:1.0.9:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:1.0.10:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:1.0.11:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:1.0.12:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:1.1.0:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:1.1.1:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:1.1.2:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:1.2.0:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:1.2.1:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:1.3.0:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:2.0.0:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:3.0.0:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:3.0.1:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:3.0.2:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:3.0.3:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:3.0.4:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:3.0.5:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:3.0.6:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:3.0.7:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.0.0:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.0.1:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.0.2:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.0.3:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.0.4:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.0.5:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.0.6:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.0.7:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.0.8:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.0.9:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.0.10:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.0.11:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.0.12:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.0.13:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.0.14:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.1.0:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.1.1:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.1.2:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.2.0:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.2.1:-:*:*:*:node.js:*:*

cpe:2.3:a:handlebars.js_project:handlebars.js:4.2.2:-:*:*:*:node.js:*:*

Конфигурация 2

cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*

Версия до 5.19.0 (исключая)

EPSS

Процентиль: 95%

0.17796

Средний

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-1321

Связанные уязвимости

CVE-2019-19919

CVSS3: 9.8

ubuntu

около 6 лет назад

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

CVE-2019-19919

CVSS3: 4.2

redhat

больше 6 лет назад

CVE-2019-19919

CVSS3: 9.8

debian

около 6 лет назад

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Poll ...

GHSA-w457-6q6x-cgp9

CVSS3: 9.8

github

около 6 лет назад

Prototype Pollution in handlebars

BDU:2020-00795

CVSS3: 9.8

fstec

около 6 лет назад

Уязвимость компонентов __proto__ и __defineGetter__ properties шаблонизатора Handlebars, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 95%

0.17796

Средний

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-1321