NodeJS/handlebars/4.7.5
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
https://www.npmjs.com/package/handlebars
MIT
2 Security Vulnerabilities
Prototype Pollution in handlebars
Published date: 2022-02-10T23:51:42Z
CVE: CVE-2021-23383
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23383
- https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029
- https://www.npmjs.com/package/handlebars
- https://security.netapp.com/advisory/ntap-20210618-0007/
- https://github.com/advisories/GHSA-765h-qjxv-5f44
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Affected versions:
["1.0.10", "1.0.12", "1.3.0", "2.0.0-alpha.3", "2.0.0-alpha.4", "2.0.0", "3.0.1", "3.0.3", "4.0.3", "4.0.4", "4.0.5", "4.0.9", "4.0.10", "1.0.5-beta", "4.0.12", "3.0.4", "3.0.6", "4.1.0", "4.0.13", "4.1.1", "3.0.7", "4.2.0", "4.3.0", "4.3.4", "4.4.0", "4.3.5", "4.2.2", "4.4.2", "4.4.3", "4.4.4", "4.5.0", "4.5.1", "4.5.2", "4.5.3", "4.6.0", "4.7.0", "4.7.2", "4.7.5", "4.7.6", "1.0.6", "1.0.6-2", "1.0.7", "1.0.8", "1.0.9", "1.0.11", "1.1.0", "1.1.1", "1.1.2", "1.2.0", "1.2.1", "2.0.0-alpha.1", "2.0.0-alpha.2", "2.0.0-beta.1", "3.0.0", "3.0.2", "4.0.0", "4.0.1", "4.0.2", "4.0.6", "4.0.7", "4.0.8", "4.0.11", "1.0.2-beta", "1.0.4-beta", "3.0.5", "4.1.2", "4.0.14", "4.1.2-0", "4.2.1", "4.3.1", "4.3.2", "4.3.3", "4.4.1", "4.4.5", "4.7.1", "4.7.3", "3.0.8", "4.7.4"]
Secure versions:
[4.7.7, 4.7.8]
Recommendation:
Update to version 4.7.8.
Remote code execution in handlebars when compiling templates
Published date: 2021-05-06T15:57:44Z
CVE: CVE-2021-23369
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23369
- https://github.com/advisories/GHSA-f2jv-r9rf-7988
- https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
- https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
- https://security.netapp.com/advisory/ntap-20210604-0008/
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Affected versions:
["1.0.10", "1.0.12", "1.3.0", "2.0.0-alpha.3", "2.0.0-alpha.4", "2.0.0", "3.0.1", "3.0.3", "4.0.3", "4.0.4", "4.0.5", "4.0.9", "4.0.10", "1.0.5-beta", "4.0.12", "3.0.4", "3.0.6", "4.1.0", "4.0.13", "4.1.1", "3.0.7", "4.2.0", "4.3.0", "4.3.4", "4.4.0", "4.3.5", "4.2.2", "4.4.2", "4.4.3", "4.4.4", "4.5.0", "4.5.1", "4.5.2", "4.5.3", "4.6.0", "4.7.0", "4.7.2", "4.7.5", "4.7.6", "1.0.6", "1.0.6-2", "1.0.7", "1.0.8", "1.0.9", "1.0.11", "1.1.0", "1.1.1", "1.1.2", "1.2.0", "1.2.1", "2.0.0-alpha.1", "2.0.0-alpha.2", "2.0.0-beta.1", "3.0.0", "3.0.2", "4.0.0", "4.0.1", "4.0.2", "4.0.6", "4.0.7", "4.0.8", "4.0.11", "1.0.2-beta", "1.0.4-beta", "3.0.5", "4.1.2", "4.0.14", "4.1.2-0", "4.2.1", "4.3.1", "4.3.2", "4.3.3", "4.4.1", "4.4.5", "4.7.1", "4.7.3", "3.0.8", "4.7.4"]
Secure versions:
[4.7.7, 4.7.8]
Recommendation:
Update to version 4.7.8.
80 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 3.0.6 | MIT | 13 | 2019-01-02 - 09:19 | over 6 years |
| 3.0.5 | MIT | 13 | 2018-12-15 - 13:16 | over 6 years |
| 3.0.4 | MIT | 13 | 2018-12-15 - 12:55 | over 6 years |
| 3.0.3 | MIT | 13 | 2015-04-28 - 19:52 | about 10 years |
| 3.0.2 | MIT | 13 | 2015-04-20 - 08:11 | about 10 years |
| 3.0.1 | MIT | 13 | 2015-03-24 - 19:22 | over 10 years |
| 3.0.0 | MIT | 13 | 2015-02-10 - 06:19 | over 10 years |
| 2.0.0 | MIT | 13 | 2014-09-02 - 02:28 | almost 11 years |
| 2.0.0-beta.1 | MIT | 13 | 2014-08-26 - 23:56 | almost 11 years |
| 2.0.0-alpha.4 | MIT | 13 | 2014-05-20 - 04:15 | about 11 years |
| 2.0.0-alpha.3 | MIT | 13 | 2014-05-20 - 03:29 | about 11 years |
| 2.0.0-alpha.2 | MIT | 13 | 2014-03-06 - 07:29 | over 11 years |
| 2.0.0-alpha.1 | MIT | 13 | 2014-02-10 - 08:13 | over 11 years |
| 1.3.0 | MIT | 13 | 2014-01-02 - 04:10 | over 11 years |
| 1.2.1 | MIT | 13 | 2013-12-26 - 22:29 | over 11 years |
| 1.2.0 | MIT | 13 | 2013-12-24 - 03:40 | over 11 years |
| 1.1.2 | BSD | 13 | 2013-11-06 - 00:10 | over 11 years |
| 1.1.1 | BSD | 13 | 2013-11-04 - 16:51 | over 11 years |
| 1.1.0 | BSD | 13 | 2013-11-04 - 03:26 | over 11 years |
| 1.0.12 | MIT | 13 | 2013-05-31 - 18:17 | about 12 years |
| 1.0.11 | MIT | 13 | 2013-05-14 - 04:09 | about 12 years |
| 1.0.10 | MIT | 13 | 2013-02-27 - 13:52 | over 12 years |
| 1.0.9 | MIT | 13 | 2013-02-16 - 01:42 | over 12 years |
| 1.0.8 | MIT | 13 | 2013-01-19 - 08:16 | over 12 years |
| 1.0.7 | MIT | 13 | 2012-09-18 - 00:27 | almost 13 years |
| 1.0.6 | MIT | 13 | 2012-07-23 - 20:40 | almost 13 years |
| 1.0.6-2 | MIT | 13 | 2012-07-31 - 16:51 | almost 13 years |
| 1.0.5-beta | MIT | 13 | 2012-02-09 - 17:06 | over 13 years |
| 1.0.4-beta | MIT | 13 | 2012-01-17 - 20:31 | over 13 years |
| 1.0.2-beta | MIT | 13 | 2011-08-22 - 07:43 | almost 14 years |