The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source. References: https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952 https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
This issue is just about the strict:true option.
Created nodejs-handlebars tracking bugs for this issue: Affects: epel-7 [bug 1956691] Affects: fedora-32 [bug 1956690]
Statement: Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana package which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. In OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) some components include the vulnerable handlebars library, but access is protected by OpenShift OAuth what reducing impact by this flaw to LOW. Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating. Red Hat Gluster Storage 3 bundles vulnerable Handlebars.js (with pcs), however it does not use "strict" option and templates from external sources, hence this issue has been rated as having a security impact of Low.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:2500 https://access.redhat.com/errata/RHSA-2021:2500
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-23369
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
This issue has been addressed in the following products: OpenShift Logging 5.1 Via RHSA-2021:4628 https://access.redhat.com/errata/RHSA-2021:4628
This issue has been addressed in the following products: OpenShift Logging 5.2 Via RHSA-2021:4032 https://access.redhat.com/errata/RHSA-2021:4032
This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2023:1334 https://access.redhat.com/errata/RHSA-2023:1334