handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server. Upstream issue: https://github.com/wycats/handlebars.js/issues/1495 Upstream patch: https://github.com/wycats/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86 Reference: https://github.com/wycats/handlebars.js/blob/master/release-notes.md
Created nodejs-handlebars tracking bugs for this issue: Affects: epel-all [bug 1685826] Affects: fedora-all [bug 1685825]
Kibana in OpenShift Container Platform (OCP) 3, and 4 ships a vulnerable version of the Handlebars NodeJS library. I've notified the Elastic Security Team about this, and they said they will upgrade the dependency in a future release. It's not fixed as of 5.6.15 and 6.6.1. Red Hat Product Security have not confirmed this vulnerability is exploitable in OCP 3, or 4 via Kibana.
(In reply to Jason Shepherd from comment #5) > Kibana in OpenShift Container Platform (OCP) 3, and 4 ships a vulnerable > version of the Handlebars NodeJS library. I've notified the Elastic Security > Team about this, and they said they will upgrade the dependency in a future > release. It's not fixed as of 5.6.15 and 6.6.1. > > Red Hat Product Security have not confirmed this vulnerability is > exploitable in OCP 3, or 4 via Kibana. Will there be confirmation it is exploitable in Kibana before we take on the effort to try and fix.
It looks like there have been further fixes to address variants of this vulnerability: https://github.com/wycats/handlebars.js/issues/1495#issuecomment-482781365 > Version 4.0.14 and 4.1.2 contain fixes for an attack vector that was not considered in 4.1.0 and 4.0.13. > > Another more complete fix will follow. Appears to be referencing: https://github.com/wycats/handlebars.js/commit/cd38583216dce3252831916323202749431c773e