Affected versions of handlebars are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service. Reference: https://www.npmjs.com/advisories/1300
Created /nodejs-handlebars tracking bugs for this issue: Affects: epel-all [bug 1882258] Affects: fedora-all [bug 1882257]
The upstream patch: https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b
External References: https://www.npmjs.com/advisories/1300
Statement: Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating. Red Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions the version used is newer and not affected by this flaw. In ovirt-web-ui Handlebars.js is included as a development dependency and is not used at runtime to process templates so have been given a low impact rating. Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana package which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana but as the Grafana instance is in read-only mode the configuration/dashboards cannot be modified.
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2020:5179 https://access.redhat.com/errata/RHSA-2020:5179
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20922
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:2500 https://access.redhat.com/errata/RHSA-2021:2500
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917
This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2023:1334 https://access.redhat.com/errata/RHSA-2023:1334