CVE-2021-23369

Remote Code Execution (RCE)

CVSS 5.6 MEDIUMEPSS 7.0%

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.6EPSS 7.0%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

12 Apr 2021Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

Affected products

n/a · handlebars

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8 https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427 https://security.netapp.com/advisory/ntap-20210604-0008/https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952 https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767