Bug 1956688 (CVE-2021-23383) - CVE-2021-23383 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option
Summary: CVE-2021-23383 nodejs-handlebars: Remote code execution when compiling untrus...
Status: NEW
Alias: CVE-2021-23383
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1883902 1949679 1952909 1956695 1956696 1956706 1956870 1958632 1956705
Blocks: 1948762
TreeView+ depends on / blocked
Reported: 2021-05-04 08:44 UTC by Riccardo Schirone
Modified: 2021-05-12 07:54 UTC (History)
34 users (show)

Fixed In Version: handlebars 4.7.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-handlebars. A unescaped value in the JavaScriptCompiler.prototype.depthedLookup function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the compat:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Riccardo Schirone 2021-05-04 08:44:53 UTC
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when using compat compile option to compile templates coming from an untrusted source.

Upstream patch:

Comment 1 Riccardo Schirone 2021-05-04 08:49:56 UTC
This issue is just about the compat:true option.

Comment 2 Riccardo Schirone 2021-05-04 08:59:21 UTC
Created nodejs-handlebars tracking bugs for this issue:

Affects: epel-7 [bug 1956695]
Affects: fedora-32 [bug 1956696]

Comment 12 Hardik Vyas 2021-05-10 13:09:41 UTC

Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana package which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. 
The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code.

In OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) some components include the vulnerable handlebars library, but access is protected by OpenShift OAuth what reducing impact by this flaw to LOW.

Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating.

Red Hat Gluster Storage 3 bundles vulnerable Handlebars.js (with pcs), however it does not use "compat" option and templates from external sources, hence this issue has been rated as having a security impact of Low.

Note You need to log in before you can comment on or make changes to this bug.