Fedora Account System
Red Hat Associate
Red Hat Customer
Affected versions of handlebars are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service. Reference: https://www.npmjs.com/advisories/1300
Created /nodejs-handlebars tracking bugs for this issue: Affects: epel-all [bug 1882258] Affects: fedora-all [bug 1882257]
The upstream patch: https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b
External References: https://www.npmjs.com/advisories/1300
Statement: Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating. Red Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions the version used is newer and not affected by this flaw. In ovirt-web-ui Handlebars.js is included as a development dependency and is not used at runtime to process templates so have been given a low impact rating. Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana package which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana but as the Grafana instance is in read-only mode the configuration/dashboards cannot be modified.
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2020:5179 https://access.redhat.com/errata/RHSA-2020:5179
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20922
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:2500 https://access.redhat.com/errata/RHSA-2021:2500
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917
This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2023:1334 https://access.redhat.com/errata/RHSA-2023:1334