Bug 1882260 (CVE-2019-20920)

Summary: CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alazarot, alegrand, anpicker, aos-bugs, bdettelb, bmontgom, dblechte, dfediuck, eedri, emingora, eparis, erooth, etirelli, gghezzo, gparvin, ibek, jburrell, jcantril, jokerman, jramanat, jrokos, jstastny, jweiser, kakkoyun, kconner, kmullins, krathod, kverlaen, lcosic, mgoldboi, michal.skrivanek, mloibl, mnovotny, nstielau, pjindal, pkrupa, proguski, rcernich, rguimara, rrajasek, sbonazzo, sgratch, sherold, sponnaga, stcannon, surbania, thee, tomckay, tzimanyi, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-handlebars 4.5.3, nodejs-handlebars 3.0.8 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to arbitrary code execution. The package lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript into the system. This issue is used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting). The highest threat from this vulnerability is to confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-24 17:33:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1882262, 1882261, 1883900, 1883902, 1884125    
Bug Blocks: 1882265    

Description Marian Rehak 2020-09-24 07:59:52 UTC 
Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).

References:

https://www.npmjs.com/advisories/1316
https://www.npmjs.com/advisories/1324
Comment 1 Marian Rehak 2020-09-24 08:00:46 UTC 
Created /nodejs-handlebars tracking bugs for this issue:

Affects: epel-all [bug 1882262]
Affects: fedora-all [bug 1882261]
Comment 2 Przemyslaw Roguski 2020-09-24 11:45:31 UTC 
This looks like upstream patch:
https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e
Comment 3 Przemyslaw Roguski 2020-09-24 11:45:35 UTC 
External References:

https://www.npmjs.com/advisories/1316
https://www.npmjs.com/advisories/1324
Comment 14 Stoyan Nikolov 2020-10-01 06:52:35 UTC 
Statement:

Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating.

Red Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions the version used is newer and not affected by this flaw. In ovirt-web-ui Handlebars.js is included as a development dependency and is not used at runtime to process templates so have been given a low impact rating.

Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana package which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana but as the Grafana instance is in read-only mode the configuration/dashboards cannot be modified.
Comment 16 errata-xmlrpc 2020-11-24 13:09:08 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2020:5179 https://access.redhat.com/errata/RHSA-2020:5179
Comment 17 Product Security DevOps Team 2020-11-24 17:33:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-20920
Comment 20 errata-xmlrpc 2021-06-29 06:30:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:2500 https://access.redhat.com/errata/RHSA-2021:2500
Comment 21 errata-xmlrpc 2021-10-19 12:10:24 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917
Comment 24 errata-xmlrpc 2023-03-20 09:13:19 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2023:1334 https://access.redhat.com/errata/RHSA-2023:1334