Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Created nodejs-handlebars tracking bugs for this issue:
Affects: epel-6 [bug 1789961]
Affects: epel-7 [bug 1789962]
Affects: fedora-all [bug 1789960]
i really wonder about CVE bugs getting reported since a year for various packages related to me. First they got reported then priority set low then discovered not present in one by one distribution and then get closed.....
While OpenShift Container Platform (OCP) contains the affected nodejs-handlebars code, it's added as a dependency of Kibana 5. Similar issue about prototype pollution  have been fixed, but no known attack vector was found, so we're rating this issue as Low for OCP.
 CVE-2019-10744 https://www.elastic.co/community/security
While Red Hat Quay declares a dependency on nodejs-handlebars, it doesn't appear to be used in the code. This issue might be fixed in a future update.
Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating.