Bug 1882260 (CVE-2019-20920) - CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
Summary: CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate te...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-20920
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1882262 1882261 1883900 1883902 1884125
Blocks: 1882265
TreeView+ depends on / blocked
 
Reported: 2020-09-24 07:59 UTC by Marian Rehak
Modified: 2023-03-20 09:13 UTC (History)
50 users (show)

Fixed In Version: nodejs-handlebars 4.5.3, nodejs-handlebars 3.0.8
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to arbitrary code execution. The package lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript into the system. This issue is used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting). The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed: 2020-11-24 17:33:58 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5179 0 None None None 2020-11-24 13:09:12 UTC
Red Hat Product Errata RHSA-2021:2500 0 None None None 2021-06-29 06:30:29 UTC
Red Hat Product Errata RHSA-2021:3917 0 None None None 2021-10-19 12:10:27 UTC
Red Hat Product Errata RHSA-2023:1334 0 None None None 2023-03-20 09:13:21 UTC

Description Marian Rehak 2020-09-24 07:59:52 UTC 
Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).

References:

https://www.npmjs.com/advisories/1316
https://www.npmjs.com/advisories/1324
Comment 1 Marian Rehak 2020-09-24 08:00:46 UTC 
Created /nodejs-handlebars tracking bugs for this issue:

Affects: epel-all [bug 1882262]
Affects: fedora-all [bug 1882261]
Comment 2 Przemyslaw Roguski 2020-09-24 11:45:31 UTC 
This looks like upstream patch:
https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e
Comment 3 Przemyslaw Roguski 2020-09-24 11:45:35 UTC 
External References:

https://www.npmjs.com/advisories/1316
https://www.npmjs.com/advisories/1324
Comment 14 Stoyan Nikolov 2020-10-01 06:52:35 UTC 
Statement:

Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating.

Red Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions the version used is newer and not affected by this flaw. In ovirt-web-ui Handlebars.js is included as a development dependency and is not used at runtime to process templates so have been given a low impact rating.

Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana package which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana but as the Grafana instance is in read-only mode the configuration/dashboards cannot be modified.
Comment 16 errata-xmlrpc 2020-11-24 13:09:08 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2020:5179 https://access.redhat.com/errata/RHSA-2020:5179
Comment 17 Product Security DevOps Team 2020-11-24 17:33:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-20920
Comment 20 errata-xmlrpc 2021-06-29 06:30:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:2500 https://access.redhat.com/errata/RHSA-2021:2500
Comment 21 errata-xmlrpc 2021-10-19 12:10:24 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917
Comment 24 errata-xmlrpc 2023-03-20 09:13:19 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2023:1334 https://access.redhat.com/errata/RHSA-2023:1334
Note You need to log in before you can comment on or make changes to this bug.