The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when using compat compile option to compile templates coming from an untrusted source.
This issue is just about the compat:true option.
Created nodejs-handlebars tracking bugs for this issue:
Affects: epel-7 [bug 1956695]
Affects: fedora-32 [bug 1956696]
Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana package which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed.
The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code.
In OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) some components include the vulnerable handlebars library, but access is protected by OpenShift OAuth what reducing impact by this flaw to LOW.
Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating.
Red Hat Gluster Storage 3 bundles vulnerable Handlebars.js (with pcs), however it does not use "compat" option and templates from external sources, hence this issue has been rated as having a security impact of Low.