Bug 1948761 (CVE-2021-23369) - CVE-2021-23369 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option
Summary: CVE-2021-23369 nodejs-handlebars: Remote code execution when compiling untrus...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-23369
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1953316 1956691 1883902 1949679 1951441 1951442 1951443 1951444 1951445 1951446 1952909 1956690 1956702 1956703 1956864 1956865 1956866 1956867
Blocks: 1948762
TreeView+ depends on / blocked
 
Reported: 2021-04-12 20:52 UTC by Pedro Sampaio
Modified: 2023-08-31 23:52 UTC (History)
58 users (show)

Fixed In Version: handlebars 4.7.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-handlebars. A missing check when getting prototype properties in the template function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the strict:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-06-29 10:41:21 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2500 0 None None None 2021-06-29 06:30:34 UTC
Red Hat Product Errata RHSA-2021:3016 0 None None None 2021-08-06 00:51:02 UTC
Red Hat Product Errata RHSA-2021:4032 0 None None None 2021-11-17 03:31:50 UTC
Red Hat Product Errata RHSA-2021:4628 0 None None None 2021-11-17 02:23:07 UTC
Red Hat Product Errata RHSA-2023:1334 0 None None None 2023-03-20 09:13:23 UTC

Description Pedro Sampaio 2021-04-12 20:52:16 UTC 
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

References:

https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952
https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
Comment 13 Riccardo Schirone 2021-05-04 08:49:46 UTC 
This issue is just about the strict:true option.
Comment 14 Riccardo Schirone 2021-05-04 08:52:25 UTC 
Created nodejs-handlebars tracking bugs for this issue:

Affects: epel-7 [bug 1956691]
Affects: fedora-32 [bug 1956690]
Comment 20 Hardik Vyas 2021-05-10 13:05:39 UTC 
Statement:

Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana package which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. 
The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code.

In OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) some components include the vulnerable handlebars library, but access is protected by OpenShift OAuth what reducing impact by this flaw to LOW.

Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating.

Red Hat Gluster Storage 3 bundles vulnerable Handlebars.js (with pcs), however it does not use "strict" option and templates from external sources, hence this issue has been rated as having a security impact of Low.
Comment 24 errata-xmlrpc 2021-06-29 06:30:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:2500 https://access.redhat.com/errata/RHSA-2021:2500
Comment 25 Product Security DevOps Team 2021-06-29 10:41:21 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-23369
Comment 26 errata-xmlrpc 2021-08-06 00:50:59 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
Comment 30 errata-xmlrpc 2021-11-17 02:23:05 UTC 
This issue has been addressed in the following products:

  OpenShift Logging 5.1

Via RHSA-2021:4628 https://access.redhat.com/errata/RHSA-2021:4628
Comment 31 errata-xmlrpc 2021-11-17 03:31:48 UTC 
This issue has been addressed in the following products:

  OpenShift Logging 5.2

Via RHSA-2021:4032 https://access.redhat.com/errata/RHSA-2021:4032
Comment 34 errata-xmlrpc 2023-03-20 09:13:20 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2023:1334 https://access.redhat.com/errata/RHSA-2023:1334
Note You need to log in before you can comment on or make changes to this bug.