Bug 1882256 (CVE-2019-20922)
| Summary: | CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alazarot, alegrand, anpicker, aos-bugs, bdettelb, bmontgom, dblechte, dfediuck, eedri, emingora, eparis, erooth, etirelli, gghezzo, gparvin, ibek, jburrell, jcantril, jokerman, jramanat, jrokos, jstastny, jweiser, kakkoyun, kconner, kmullins, krathod, kverlaen, lcosic, mgoldboi, michal.skrivanek, mloibl, mnovotny, nstielau, pjindal, pkrupa, rcernich, rguimara, rrajasek, sbonazzo, sgratch, sherold, sponnaga, stcannon, surbania, thee, tomckay, tzimanyi, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | nodejs-handlebars 4.4.5 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to a denial of service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This flaw allows attackers to exhaust system resources, leading to a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-24 17:33:53 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1882257, 1882258, 1883900, 1883902, 1884126 | ||
| Bug Blocks: | 1882265 | ||
|
Description
Marian Rehak
2020-09-24 07:58:49 UTC
Created /nodejs-handlebars tracking bugs for this issue: Affects: epel-all [bug 1882258] Affects: fedora-all [bug 1882257] The upstream patch: https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b External References: https://www.npmjs.com/advisories/1300 Statement: Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating. Red Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions the version used is newer and not affected by this flaw. In ovirt-web-ui Handlebars.js is included as a development dependency and is not used at runtime to process templates so have been given a low impact rating. Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana package which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana but as the Grafana instance is in read-only mode the configuration/dashboards cannot be modified. This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2020:5179 https://access.redhat.com/errata/RHSA-2020:5179 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20922 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:2500 https://access.redhat.com/errata/RHSA-2021:2500 This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917 This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2023:1334 https://access.redhat.com/errata/RHSA-2023:1334 |