CVE-2021-23369
Remote Code Execution (RCE)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
4Exploited in Wild
-Decision
Descriptions
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
El paquete handlebars versiones anteriores a 4.7.7, son vulnerables a una Ejecución de Código Remota (RCE) al seleccionar determinadas opciones de compilación para compilar plantillas que provienen de una fuente no confiable
A flaw was found in nodejs-handlebars. A missing check when getting prototype properties in the template function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the strict:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-08 CVE Reserved
- 2021-04-12 CVE Published
- 2024-09-16 CVE Updated
- 2024-09-16 First Exploit
- 2024-11-24 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (9)
URL | Tag | Source |
---|---|---|
https://security.netapp.com/advisory/ntap-20210604-0008 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950 | 2024-09-16 | |
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951 | 2024-09-16 | |
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952 | 2024-09-16 | |
https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767 | 2024-09-16 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2021-23369 | 2023-03-20 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1948761 | 2023-03-20 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Handlebarsjs Search vendor "Handlebarsjs" | Handlebars Search vendor "Handlebarsjs" for product "Handlebars" | < 4.7.7 Search vendor "Handlebarsjs" for product "Handlebars" and version " < 4.7.7" | node.js |
Affected
|