Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting). References: https://www.npmjs.com/advisories/1316 https://www.npmjs.com/advisories/1324
Created /nodejs-handlebars tracking bugs for this issue: Affects: epel-all [bug 1882262] Affects: fedora-all [bug 1882261]
This looks like upstream patch: https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e
External References: https://www.npmjs.com/advisories/1316 https://www.npmjs.com/advisories/1324
Statement: Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating. Red Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions the version used is newer and not affected by this flaw. In ovirt-web-ui Handlebars.js is included as a development dependency and is not used at runtime to process templates so have been given a low impact rating. Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana package which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana but as the Grafana instance is in read-only mode the configuration/dashboards cannot be modified.
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2020:5179 https://access.redhat.com/errata/RHSA-2020:5179
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20920
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:2500 https://access.redhat.com/errata/RHSA-2021:2500
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917
This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2023:1334 https://access.redhat.com/errata/RHSA-2023:1334