Bug 1882260 (CVE-2019-20920)
Summary: | CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | alazarot, alegrand, anpicker, aos-bugs, bdettelb, bmontgom, dblechte, dfediuck, eedri, emingora, eparis, erooth, etirelli, gghezzo, gparvin, ibek, jburrell, jcantril, jokerman, jramanat, jrokos, jstastny, jweiser, kakkoyun, kconner, kmullins, krathod, kverlaen, lcosic, mgoldboi, michal.skrivanek, mloibl, mnovotny, nstielau, pjindal, pkrupa, proguski, rcernich, rguimara, rrajasek, sbonazzo, sgratch, sherold, sponnaga, stcannon, surbania, thee, tomckay, tzimanyi, yturgema |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | nodejs-handlebars 4.5.3, nodejs-handlebars 3.0.8 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to arbitrary code execution. The package lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript into the system. This issue is used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting). The highest threat from this vulnerability is to confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-24 17:33:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1882262, 1882261, 1883900, 1883902, 1884125 | ||
Bug Blocks: | 1882265 |
Description
Marian Rehak
2020-09-24 07:59:52 UTC
Created /nodejs-handlebars tracking bugs for this issue: Affects: epel-all [bug 1882262] Affects: fedora-all [bug 1882261] This looks like upstream patch: https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e External References: https://www.npmjs.com/advisories/1316 https://www.npmjs.com/advisories/1324 Statement: Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating. Red Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions the version used is newer and not affected by this flaw. In ovirt-web-ui Handlebars.js is included as a development dependency and is not used at runtime to process templates so have been given a low impact rating. Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana package which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana but as the Grafana instance is in read-only mode the configuration/dashboards cannot be modified. This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2020:5179 https://access.redhat.com/errata/RHSA-2020:5179 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20920 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:2500 https://access.redhat.com/errata/RHSA-2021:2500 This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917 This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2023:1334 https://access.redhat.com/errata/RHSA-2023:1334 |