CVE-2021-23383

EUVD-2022-0882
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Prototype Pollution
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.6 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
snykCNA
5.6 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Base Score
CVSS 3.x
EPSS Score
Percentile: 86%
Affected Products (NVD)
VendorProductVersion
handlebarsjshandlebars
𝑥
< 4.7.7
netappe-series_performance_analyzer
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-handlebars
bookworm
3:4.7.7+~4.1.0-1
fixed
bullseye
3:4.7.6+~4.1.0-2
fixed
buster
no-dsa
sid
3:4.7.7+~4.1.0-1
fixed
stretch
postponed
trixie
3:4.7.7+~4.1.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-handlebars
bionic
needs-triage
focal
needs-triage
groovy
ignored
hirsute
ignored
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
dne
xenial
ignored
Common Weakness Enumeration
References
https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
https://security.netapp.com/advisory/ntap-20210618-0007/
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030
https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029
https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
https://security.netapp.com/advisory/ntap-20210618-0007/
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030
https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029